CVE ID | CVE-2018-10754 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu) |
Other ID(s) |
Affected Package(s) | ncurses |
Deficiency Type | SECURITY |
Date Created | 2018-05-05 11:31:21 |
Date Last Modified | 2018-05-06 14:07:17 |
Cucumber 1.0 i686 | waiting for upstream to publish patch |
Cucumber 1.0 x86_64 | waiting for upstream to publish patch |
Cucumber 1.1 i686 | waiting for upstream to publish patch |
Cucumber 1.1 x86_64 | waiting for upstream to publish patch |
=================================== Overview =================================== In ncurses before 6.1.20180414, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service if the terminfo library code is used to process untrusted terminfo data in which a use-name is invalid syntax. ================================ Initial Report ================================ From https://docs.google.com/document/d/1igKyS1mUnu1Cmy87QWIYxhhpHB6kn-Uh821RwmedgyY/edit: Triggered by ./tic POC Description of problem: Version-Release number of selected component (if applicable): ncurses 6.1.20180407 How reproducible: ./tic POC Steps to Reproduce: The output information is as follows: ./tic POC "POC", line 1, col 4095: dubious character `[' in name or alias field "POC", line 1, col 4095: invalid entry name "t:@txXt:t[tc=?:tc=t??????????????????????????????????? . . . "POC", line 1, col 4096, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-z' "POC", line 2, col 19, terminal 'invalid': Too much data, some is lost: t# "POC", line 2, col 21, terminal 'invalid': Illegal character - '^H' "POC", line 2, col 21, terminal 'invalid': unknown capability 't' "POC", line 2, col 22, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '^H' "POC", line 3, col 9, terminal 'invalid': Too much data, some is lost: t Segmentation fault (core dumped) GDB debugging information is as follows: (gdb) set args POC (gdb) r Starting program: /home/afl/software/fuzzing-benchmarks/ncurses/progs/tic POC "POC", line 1, col 4095: dubious character `[' in name or alias field "POC", line 1, col 4095: invalid entry name "t:@txXt:t[tc=?:tc=t??????????????????????????????????? . . . "POC", line 1, col 4096, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-z' "POC", line 2, col 19, terminal 'invalid': Too much data, some is lost: t# "POC", line 2, col 21, terminal 'invalid': Illegal character - '^H' "POC", line 2, col 21, terminal 'invalid': unknown capability 't' "POC", line 2, col 22, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '^H' "POC", line 3, col 9, terminal 'invalid': Too much data, some is lost: t Program received signal SIGSEGV, Segmentation fault. __strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32 32 ../sysdeps/x86_64/multiarch/../strchr.S: No such file or directory. (gdb) bt #0 __strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32 #1 0x00000000004babde in _nc_parse_entry (entryp=entryp@entry=0x7fffffffaed0, literal=literal@entry=0, silent=silent@entry=false) at ../ncurses/./tinfo/parse_entry.c:547 #2 0x00000000004a421c in _nc_read_entry_source (fp=, buf=buf@entry=0x0, literal=literal@entry=0, silent=silent@entry=false, hook=hook@entry=0x406520 ) at ../ncurses/./tinfo/comp_parse.c:225 #3 0x00000000004040b0 in main (argc= , argv= ) at ../progs/tic.c:961 (gdb) list ../ncurses/./tinfo/parse_entry.c:547 542 /* 543 * Otherwise, look for a base entry that will already 544 * have picked up defaults via translation. 545 */ 546 for (i = 0; i < entryp->nuses; i++) 547 if (!strchr((char *) entryp->uses[i].name, '+')) 548 has_base_entry = TRUE; 549 } 550 551 postprocess_termcap(&entryp->tterm, has_base_entry); (gdb) info all-registers rax 0x0 0 rbx 0x0 0 rcx 0x0 0 rdx 0x0 0 rsi 0x2b 43 rdi 0x0 0 rbp 0x7fffffffaf38 0x7fffffffaf38 rsp 0x7fffffffae48 0x7fffffffae48 r8 0xfcff00000000 278172146860032 r9 0x0 0 r10 0x7fffffffaf20 140737488334624 r11 0x714300 7422720 r12 0x1 1 r13 0x7fffffffaf38 140737488334648 r14 0x0 0 r15 0x7fffffffaed0 140737488334544 rip 0x7ffff7a96ad3 0x7ffff7a96ad3 <__strchr_sse2+35> eflags 0x10283 [ CF SF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 st0 0 (raw 0x00000000000000000000) st1 0 (raw 0x00000000000000000000) st2 0 (raw 0x00000000000000000000) st3 0 (raw 0x00000000000000000000) st4 0 (raw 0x00000000000000000000) st5 0 (raw 0x00000000000000000000) ---Type to continue, or q to quit--- st6 0 (raw 0x00000000000000000000) st7 0 (raw 0x00000000000000000000) fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 Actual results: crash Expected results: crash Additional info: The crash can be reproduced by the attached file: https://drive.google.com/file/d/1v8vLrM9bLTzRkJEC30ASpzXHF-p9_D7x/view ================================= Our Analysis ================================= ----- Affected Products ----- Versions of ncurses 6.1 prior to patch20180414 are vulnerable. This includes ncurses as originally packated in Cucumber Linux 1.0 and 1.1. ----- Scope and Impact of this Vulnerability ----- Allows for a remote attacker to cause a denial of service (application crash) when parsing specially crafted terminfo data. ----- Testing if you are Affected ----- 1. Download the zip file from https://drive.google.com/file/d/1v8vLrM9bLTzRkJEC30ASpzXHF-p9_D7x/view. 2. Extract it. 3. Run `tic POC`. If tic crashes with a crash message similar to the one indicated above, then your ncurses is vulnerable. ----- Fix for this Vulnerability ----- This vulnerability has reportedly been fixed in https://github.com/mirror/ncurses/commit/b93d96b78ac5250135975df892cee793dc3c0797; however, this patch cannot easily be backported to earlier versions of ncurses. ================================= Our Solution ================================= We are waiting for someone (maybe upstream; we'll see if they feel like it) to publish a proper patch.