CVE-2017-13728 in ncurses
Summary
by MITRE
There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/10/2021
The vulnerability identified as CVE-2017-13728 represents a critical denial of service flaw within the ncurses library version 6.0, specifically within the libtic component responsible for terminal initialization and capability handling. This issue manifests in the next_char function located in the comp_scan.c source file, where improper input validation leads to a condition that can result in an infinite loop during terminal capability processing. The flaw is particularly concerning because it can be triggered through remote input manipulation, making it exploitable in networked environments where ncurses is utilized for terminal handling operations.
The technical root cause of this vulnerability stems from inadequate boundary checking and input validation within the next_char function, which processes terminal capability descriptions during the compilation of terminfo files. When a maliciously crafted input is processed, the function fails to properly terminate its iteration loop, causing the system to enter an infinite loop state where processing becomes unresponsive. This behavior aligns with CWE-835, which describes the weakness of an infinite loop or other endless iteration in software systems. The vulnerability specifically affects the terminal capability compiler (tic) component of ncurses, which is responsible for converting terminal descriptions from source format to compiled binary format, making it a core component in terminal handling across numerous Unix-like systems.
The operational impact of CVE-2017-13728 extends beyond simple service disruption, as it can be leveraged by remote attackers to perform denial of service attacks against systems utilizing ncurses. This vulnerability affects systems where terminal capability files are processed, including but not limited to login systems, terminal emulators, and applications that rely on ncurses for user interface rendering. The infinite loop condition consumes system resources continuously, potentially leading to system instability, resource exhaustion, and complete service unavailability. Attackers can exploit this vulnerability by providing specially crafted terminal capability descriptions that trigger the problematic code path, making it particularly dangerous in environments where users can influence terminal input or where automated processing of terminal descriptions occurs.
Mitigation strategies for this vulnerability should focus on immediate patching of affected ncurses versions, with the recommended approach being the upgrade to ncurses version 6.1 or later where the infinite loop condition has been resolved. System administrators should also implement input validation measures to prevent untrusted terminal capability descriptions from being processed, particularly in environments where user input may influence terminal handling operations. The vulnerability demonstrates characteristics consistent with ATT&CK technique T1499.004, which involves the exploitation of resource exhaustion vulnerabilities to cause denial of service conditions. Organizations should also consider implementing monitoring for unusual resource consumption patterns that may indicate exploitation attempts, as well as conducting regular vulnerability assessments to identify other potential instances of similar coding flaws within their terminal handling infrastructure.