During its research, Microsoft discovered that during initialization ncurses library searches for several environment variables including TERMINFO, an environment variable for terminal databases. TERMINFO can be poisoned (manipulated) to point to an arbitrary directory to potentially exploit ncurses vulnerabilities. HOME, another environment variable used by ncurses can be poisoned with similar techniques.
“Every modern operating system contains a set of environment variables that might affect the behavior of programs,” Microsoft said. “A well-known technique for attackers is to manipulate those environment variables to cause programs to perform actions that would benefit their malicious purposes, hence ‘poisoning’ them.”
Vulnerabilities found in version 6.4 and earlier
Microsoft said that it found the vulnerabilities in the ncurses library through code auditing and fuzzing. It also attributed contributions from Gergely Kalman who assisted Microsoft privately on Twitter in advancing the research with several use cases.
Microsoft noted that while the auditing was performed on the latest version of ncurses, release 6.4, earlier versions of the library may also carry a few or all these vulnerabilities.
“It’s interesting to note that while the version of ncurses we checked was 6.4 (latest at the time of research), the ncurses version on macOS was 5.7, but had several security-related patches maintained by Apple,” Microsoft said. “Nevertheless, all our findings are true for all ncurses versions, thus affecting both Linux and macOS.”
Microsoft has recommended using Microsoft Defender for detecting and protecting against potential abuse of TERMINFO databases on both Linux and macOS.