#VU12202 Stack-based buffer overflow in ncurses - CVE-2017-16879
Published: April 26, 2018 / Updated: July 28, 2022
Vulnerability identifier: #VU12202
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-16879
CWE-ID: CWE-121
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
ncurses
ncurses
Software vendor:
Free Software Foundation
Free Software Foundation
Description
The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.
The weakness exists in the _nc_write_entry function in tinfo/write_entry.c due to stac-based buffer overflow. A remote attacker can submit a specially crafted terminfo file, as demonstrated by tic, trick the victim into opening it, trigger memory corruption and cause the service to crash or execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists in the _nc_write_entry function in tinfo/write_entry.c due to stac-based buffer overflow. A remote attacker can submit a specially crafted terminfo file, as demonstrated by tic, trick the victim into opening it, trigger memory corruption and cause the service to crash or execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Update to version 6.1.