CVE-2023-29491: Security Flaw in ncurses Prior to Version 6.4 20230408, Allowing Terminfo Database File Corruption in Setuid Applications

A critical security vulnerability has been reported in versions of ncurses before 6.4 20230408. The flaw affects setuid applications that utilize ncurses, and it exposes these applications to the threat of memory corruption caused by malformed data in terminfo database files. The corrupted files are either found in the user's $HOME/.terminfo directory or reached via the TERMINFO or TERM environment variables. Local users exploiting this vulnerability are able to compromise the security of these setuid applications.

What is ncurses?
Ncurses (New Curses) is a programming library that provides terminal-independent methods for updating character screens with minimal terminal output. It is often employed by text-based applications to control the positioning of text, colors, and other attributes on a user's terminal screen. Ncurses serves as an essential component in many command-line applications, such as editors, file managers, and system utilities.

Exploit Details

To exploit this vulnerability, a local user could inject maliciously crafted data into a terminfo database file. This malformed data is then read by a setuid application that uses ncurses, ultimately causing memory corruption within the application. The exploit may result in undesirable behavior or complete compromise of the affected setuid application.

Here's a simple code snippet demonstrating how to corrupt a terminfo database file

# Navigate to the user's .terminfo directory
cd $HOME/.terminfo

# Create or edit a terminfo database file
nano my_terminfo

# Inject corrupted data
echo -e "---malformed-data---" >> my_terminfo

# Set environment variable
export TERMINFO=my_terminfo

# Run the setuid application
./vulnerable_setuid_app

How to Protect Against This Vulnerability

To mitigate the risks associated with this security flaw, the first line of defense is upgrading ncurses to version 6.4 20230408 or later. By doing so, the memory corruption vulnerability can be resolved, substantially reducing the security risks posed by this issue.

Additionally, administrators should ensure that setuid applications are designed to validate and sanitize the data they read from terminfo database files. Such precautions will help prevent the exploitation of any similar vulnerabilities that might be discovered in the future.

Original References

- Original advisory from MITRE
- Ncurses official website
- Ncurses 6.4 20230408 release notes

In conclusion, the security vulnerability identified as CVE-2023-29491 presents a critical risk to setuid applications employing ncurses prior to version 6.4 20230408. By promptly applying the prescribed mitigation measures, administrators can safeguard their systems against potential exploitation. As always, it is essential to maintain up-to-date software and follow best practices in application design to ensure robust protection against future vulnerabilities.

Timeline

Published on: 04/14/2023 01:15:00 UTC
Last modified on: 05/17/2023 20:15:00 UTC