CLD-382 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-10754 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) ncurses
Deficiency Type SECURITY
Date Created 2018-05-05 11:31:21
Date Last Modified 2018-05-06 14:07:17

Version Specific Information:

Cucumber 1.0 i686 waiting for upstream to publish patch
Cucumber 1.0 x86_64 waiting for upstream to publish patch

Cucumber 1.1 i686 waiting for upstream to publish patch
Cucumber 1.1 x86_64 waiting for upstream to publish patch

Details:

=================================== Overview ===================================

In ncurses before 6.1.20180414, there is a NULL Pointer Dereference in the
_nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote
denial of service if the terminfo library code is used to process untrusted
terminfo data in which a use-name is invalid syntax. 

================================ Initial Report ================================

From 
https://docs.google.com/document/d/1igKyS1mUnu1Cmy87QWIYxhhpHB6kn-Uh821RwmedgyY/edit:

Triggered by ./tic POC

Description of problem:


Version-Release number of selected component (if applicable):

ncurses 6.1.20180407

How reproducible:

./tic POC

Steps to Reproduce:

The output information is as follows:
./tic POC
"POC", line 1, col 4095: dubious character `[' in name or alias field
"POC", line 1, col 4095: invalid entry name "t:@txXt:t[tc=?:tc=t???????????????????????????????????
.
.
.
"POC", line 1, col 4096, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-z'
"POC", line 2, col 19, terminal 'invalid': Too much data, some is lost: t#
"POC", line 2, col 21, terminal 'invalid': Illegal character - '^H'
"POC", line 2, col 21, terminal 'invalid': unknown capability 't'
"POC", line 2, col 22, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '^H'
"POC", line 3, col 9, terminal 'invalid': Too much data, some is lost: t
Segmentation fault (core dumped)

GDB debugging information is as follows:
(gdb) set args POC
(gdb) r
Starting program: /home/afl/software/fuzzing-benchmarks/ncurses/progs/tic POC
"POC", line 1, col 4095: dubious character `[' in name or alias field
"POC", line 1, col 4095: invalid entry name "t:@txXt:t[tc=?:tc=t???????????????????????????????????
.
.
.
"POC", line 1, col 4096, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - 'M-z'
"POC", line 2, col 19, terminal 'invalid': Too much data, some is lost: t#
"POC", line 2, col 21, terminal 'invalid': Illegal character - '^H'
"POC", line 2, col 21, terminal 'invalid': unknown capability 't'
"POC", line 2, col 22, terminal 'invalid': Illegal character (expected alphanumeric or @%&*!#) - '^H'
"POC", line 3, col 9, terminal 'invalid': Too much data, some is lost: t

Program received signal SIGSEGV, Segmentation fault.
__strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32
32    ../sysdeps/x86_64/multiarch/../strchr.S: No such file or directory.

(gdb) bt
#0  __strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32
#1  0x00000000004babde in _nc_parse_entry (entryp=entryp@entry=0x7fffffffaed0, literal=literal@entry=0, 
    silent=silent@entry=false) at ../ncurses/./tinfo/parse_entry.c:547
#2  0x00000000004a421c in _nc_read_entry_source (fp=, buf=buf@entry=0x0, 
    literal=literal@entry=0, silent=silent@entry=false, hook=hook@entry=0x406520 )
    at ../ncurses/./tinfo/comp_parse.c:225
#3  0x00000000004040b0 in main (argc=, argv=) at ../progs/tic.c:961

(gdb) list ../ncurses/./tinfo/parse_entry.c:547
542            /*
543             * Otherwise, look for a base entry that will already
544             * have picked up defaults via translation.
545             */
546            for (i = 0; i < entryp->nuses; i++)
547                if (!strchr((char *) entryp->uses[i].name, '+'))
548                has_base_entry = TRUE;
549            }
550    
551            postprocess_termcap(&entryp->tterm, has_base_entry);

(gdb) info all-registers 
rax            0x0    0
rbx            0x0    0
rcx            0x0    0
rdx            0x0    0
rsi            0x2b    43
rdi            0x0    0
rbp            0x7fffffffaf38    0x7fffffffaf38
rsp            0x7fffffffae48    0x7fffffffae48
r8             0xfcff00000000    278172146860032
r9             0x0    0
r10            0x7fffffffaf20    140737488334624
r11            0x714300    7422720
r12            0x1    1
r13            0x7fffffffaf38    140737488334648
r14            0x0    0
r15            0x7fffffffaed0    140737488334544
rip            0x7ffff7a96ad3    0x7ffff7a96ad3 <__strchr_sse2+35>
eflags         0x10283    [ CF SF IF RF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0
st0            0    (raw 0x00000000000000000000)
st1            0    (raw 0x00000000000000000000)
st2            0    (raw 0x00000000000000000000)
st3            0    (raw 0x00000000000000000000)
st4            0    (raw 0x00000000000000000000)
st5            0    (raw 0x00000000000000000000)
---Type  to continue, or q  to quit---
st6            0    (raw 0x00000000000000000000)
st7            0    (raw 0x00000000000000000000)
fctrl          0x37f    895
fstat          0x0    0
ftag           0xffff    65535
fiseg          0x0    0
fioff          0x0    0
foseg          0x0    0
fooff          0x0    0
fop            0x0    0


Actual results:

crash

Expected results:

crash

Additional info:

The crash can be reproduced by the attached file:
https://drive.google.com/file/d/1v8vLrM9bLTzRkJEC30ASpzXHF-p9_D7x/view

================================= Our Analysis =================================

----- Affected Products -----
Versions of ncurses 6.1 prior to patch20180414 are vulnerable. This includes
ncurses as originally packated in Cucumber Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
Allows for a remote attacker to cause a denial of service (application crash)
when parsing specially crafted terminfo data.

----- Testing if you are Affected -----
1. Download the zip file from
   https://drive.google.com/file/d/1v8vLrM9bLTzRkJEC30ASpzXHF-p9_D7x/view.
2. Extract it.
3. Run `tic POC`.
If tic crashes with a crash message similar to the one indicated above, then
your ncurses is vulnerable.

----- Fix for this Vulnerability -----
This vulnerability has reportedly been fixed in
https://github.com/mirror/ncurses/commit/b93d96b78ac5250135975df892cee793dc3c0797;
however, this patch cannot easily be backported to earlier versions of ncurses.

================================= Our Solution =================================

We are waiting for someone (maybe upstream; we'll see if they feel like it) to
publish a proper patch.