How ncurses Environment Variable Bugs Can Escalate Privileges on macOS and Linux

21CTO Guide: The ncurses extension library has environment‑variable privilege‑escalation vulnerabilities that developers need to be aware of and fix.

Background

On September 14, Microsoft issued an alert stating that the widely used ncurses library in macOS and Linux contains a critical vulnerability.

ncurses, a 30‑year‑old library whose name means “new curses,” provides APIs for building text‑user interfaces (TUIs) and console applications with graphical‑like appearance, and is deployed across major operating systems.

The disclosed flaw (CVE‑2023‑29491) can cause memory corruption, has a CVSS score of 7.8 (high severity), and Microsoft is working with Apple to fix the macOS‑specific issue.

Microsoft threat‑intelligence researchers Jonathan Bar Or, Emanuele Cozzi, and Michael Pearse reported that by poisoning environment variables, attackers can exploit these bugs to gain elevated privileges, execute code in the program’s context, or perform other malicious actions.

ncurses flaw enables environment‑variable poisoning

Environment variables are user‑defined values that many programs read and can influence system behavior; manipulating them can cause unauthorized actions.

Microsoft noted that ncurses uses a terminal database independent of the terminal, allowing it to access key information about the active terminal.

Code review and fuzz testing revealed that ncurses searches several environment variables, including TERMINFO, which can be hijacked to point to arbitrary directories and, combined with the discovered bugs, lead to privilege escalation.

The vulnerabilities include stack information leaks, type‑confusion string handling, out‑of‑bounds reads during Terminfo parsing, and string‑based denial‑of‑service conditions.

HOME is another environment variable used by ncurses that can be similarly poisoned.

Microsoft emphasized that every modern OS includes environment variables that can affect program behavior, and attackers commonly manipulate these to force programs to act in their favor.

Vulnerabilities found in 6.4 and earlier versions

The discovery was aided by contributions from Gergely Kalman, who privately assisted Microsoft with multiple use‑case investigations.

Although the audit focused on ncurses 6.4, earlier versions may also contain some or all of these issues.

Microsoft observed that while the version examined was 6.4, macOS ships ncurses 5.7 with several Apple‑maintained security patches; nevertheless, the findings apply to all ncurses versions, affecting both Linux and macOS.

Microsoft recommends using Microsoft Defender to detect and prevent potential TERMINFO database abuse on Linux and macOS.

Security updates have been released, and developers and users are strongly urged to apply them.

Official Microsoft blog post: https://www.microsoft.com/en-us/security/blog/2023/09/14/uncursing-the-ncurses-memory-corruption-vulnerabilities-found-in-library/