Ncurses Retro Library Linked to Linux and MacOS Hacking

Recently, Microsoft experts have discovered a number of vulnerabilities associated with memory damage in the NCURSES program library, which can be exploited by attackers to execute malicious code on vulnerable Linux and MacOS systems.

NCURSES is a software library released in 1993 that is widely used to develop text user interfaces. It provides an API to create an interface that can function on various terminals and systems, including Unix-like operating systems such as Linux and MacOS. The library enables programmers to control individual symbols, lines, and other elements on the screen, thereby enhancing user interaction in text mode.

In a technical report published today by researchers from Microsoft Threat Intelligence, it has been revealed that attackers can exploit a technique known as “Environment Variable Poisoning” to escalate privileges and execute arbitrary code in the context of the target program.

The vulnerabilities are identified under the general identifier CVE-2023-29491 and have been rated with a severity score of 7.8 on the CVSS scale. According to the Ncourses website, these issues were addressed on April 8, 2023. Microsoft has also collaborated with Apple to resolve these vulnerabilities specific to MacOS systems.

Environment variables are user values that can be accessed by multiple programs in a system. Manipulating these variables can lead to unauthorized operations performed by applications.

During a code audit by Microsoft experts, several variable encirclement issues, including with Terminfo, were identified in the NCURSES library. By “poisoning” this particular variable and exploiting the aforementioned vulnerabilities, attackers can gain elevated privileges.

The vulnerabilities discovered include Stack Information Leak, Parameterized String Type Confusion, Off-by-One error, and Heap out-bust.

It is important to note that launching a multi-stage attack is required to take control of a program through these memory damage-related vulnerabilities, as highlighted by the researchers.

/Reports, release notes, official announcements.