If you think environment variables and dotfiles are harmless, think again. CVE-2023-29491 is a security vulnerability in the popular ncurses library, and it’s a classic example of why local file handling and setuid programs need extra caution. In this post, we’ll break down how this bug works, demonstrate a possible exploitation, and offer some practical mitigation advice.
What Is ncurses?
ncurses is a library that programmers use to create text-based interfaces in terminals (think: colorful menus in command-line apps). It’s shipped with most Linux and UNIX-like systems.
What’s the Issue? (CVE-2023-29491)
In all versions of ncurses before 6.4 20230408, when the library is used by a setuid (privileged) application, a local attacker can trick it into reading a malicious terminfo database file. When ncurses loads this file (from $HOME/.terminfo or paths set by TERMINFO/TERM), certain corrupted fields can cause memory corruption—potentially letting the attacker execute code or crash the app.
The bug was reported and tracked under CVE-2023-29491.
Terminal capabilities on UNIX are described by *terminfo* files. These can come from
- System directories (usually /usr/share/terminfo/)
- User's home directory ($HOME/.terminfo)
Paths manually set in the TERMINFO or TERM environment variables
A setuid application running as root (but launched by a regular user) can end up reading terminfo files the user controls.
The Vulnerable Process
1. User prepares a malicious terminfo file in their home directory ($HOME/.terminfo/...).
2. User runs a setuid application that links against ncurses (such as sudo or a text-based installer).
3. ncurses reads the user-controlled terminfo file during startup, as directed by env vars/lookup rules.
4. Malformed data in the file causes ncurses to corrupt memory, which is especially dangerous since the program is running as root.
Creating a Malicious terminfo Directory and File
Suppose you want to trick a setuid app that uses the "xterm" terminfo entry. You can make ncurses load your file:
mkdir -p $HOME/.terminfo/x
echo -ne '\x1b[31mMalicious\\xff\xff\xff[FUZZ]\x00\x00\x00' > $HOME/.terminfo/x/xterm
*(This is a simplified, not fully functional example—a real exploit would require deeper knowledge of the binary format and what fields trigger the bug.)*
Forcing the Application to Use It
You could set the TERM or TERMINFO environment variable before invoking a setuid binary (practically, many setuid apps restrict these, but it’s not universal):
export TERMINFO=$HOME/.terminfo
some_setuid_program
Or simply set TERM=xterm, if your dotfile is in place.
Exploit Potential
- Memory corruption bugs in setuid apps can be used to *escalate privileges*—potentially letting a regular user execute code as root.
- The exploitability depends on the layout and error-handling in the target program, and the attacker’s ability to control the environment.
Here's a heavily simplified look at what happens inside ncurses
char *dir = getenv("TERMINFO");
if (!dir)
dir = getenv("HOME");
char *term_path = find_terminfo_entry(dir, term_type);
FILE *fp = fopen(term_path, "rb");
if (!fp) error();
char buffer[4096];
fread(buffer, 1, sizeof(buffer), fp);
parse_terminfo(buffer); // This function fails to check boundaries...
A malicious terminfo file can now overflow buffer or confuse parse_terminfo() into unsafe operations.
Real-World References
- CVE-2023-29491 at NVD
- Upstream Fix Announcement
- ncurses 6.4 Release Notes
Upgrade ncurses to 6.4 20230408 or newer. Major distros have shipped this fix.
- Setuid applications should use *secure* environment sanitization—ignore TERMINFO and never load user-writable files.
Final Thoughts
CVE-2023-29491 proves that even the most boring startup files and env vars can hide big risks, especially with privileged programs. If you write or package setuid tools using ncurses, audit how they handle user environment and local files!
Want to dig deeper?
- ncurses source code
- How Terminfo Works (TLDP)
Timeline
Published on: 04/14/2023 01:15:00 UTC
Last modified on: 05/17/2023 20:15:00 UTC