CVE-2022-29458: Understanding the Vulnerability and Exploitation Details in ncurses 6.3 Before Patch 20220416

The newly-disclosed vulnerability identified as CVE-2022-29458 affects the popular ncurses 6.3 library, which is widely used for creating UI (User Interface) in terminal applications. This vulnerability was discovered in the convert_strings function in tinfo/read_entry.c in the terminfo library before patch 20220416. The vulnerability is prone to out-of-bounds read and segmentation violation, potentially leading to memory exposure, crashes, or even arbitrary code execution.

In this long-read post, we will dive deep into the specifics of the vulnerability, understand the code snippet, and analyze potential exploitation techniques.

The Ncurses 6.3 Library

Ncurses is a powerful open-source programming library that allows developers to create and manage text-based UI in a terminal environment with ease (source). Ncurses streamlines working with various interfaces on different platforms and has become a vital part of Unix-based systems since the 199s.

The Vulnerability: CVE-2022-29458

This vulnerability results from an out-of-bounds read and segmentation violation within the convert_strings function in the tinfo/read_entry.c source file. This may enable an attacker to gain access to sensitive information, cause program crashes, or even execute arbitrary code.

The issue was officially reported on April 18, 2022, and a patch was made available shortly thereafter (20220416).

Code Snippet

Below is an excerpt from tinfo/read_entry.c that showcases the affected code within the convert_strings function:

...
static void
convert_strings(unsigned const char **data, unsigned count)
{
    unsigned char **list = (void *) data;
    unsigned const char *old_data = *data;

    while (count-- > ) {
        TR"(string[%3d] @%8p)",
           count, old_data;

        *list++ = (void *) CONVERT(old_data);
        old_data += strlen((const char *) old_data) + 1;
    }
...
}

In this specific function, an out-of-bounds read may occur at the line where the strlen function is called:

old_data += strlen((const char *) old_data) + 1;

The out-of-bounds read occurs when old_data points to an invalid memory address. This could potentially result in memory exposure or segmentation violations.

Exploit Details

An attacker might potentially exploit this vulnerability by preparing a specially-crafted terminfo database containing malicious strings. If an application uses the ncurses library (before the patch was applied), it will load the terminfo database and execute the vulnerable code within the tinfo/read_entry.c file.

Given that ncurses is used to build terminal applications, an attacker might create a custom terminal implementation that allows them to exploit the vulnerability and execute arbitrary code remotely.

Mitigation

The ncurses team has released a patch to address the vulnerability (source). Users and developers are advised to update their ncurses library to the patched version (dated 20220416) or later.

Conclusion

Understanding the implications of CVE-2022-29458 is crucial for developers who utilize the ncurses library in their terminal applications. To ensure the security of applications, it is essential to remain informed about known vulnerabilities and apply patches as soon as they are available.

If you're a developer working with the ncurses library, keep a close eye on the official ncurses website for updates and announcements related to security or fixes.

As a user, it is important to maintain up-to-date software versions, even in low-level libraries such as this. By staying informed and acting proactively, you can help protect yourself and others from potential security exploits.

Timeline

Published on: 04/18/2022 21:15:00 UTC
Last modified on: 04/27/2022 13:14:00 UTC