{"id":22952,"date":"2023-09-20T03:02:52","date_gmt":"2023-09-20T11:02:52","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/09\/20\/news-16682\/"},"modified":"2023-09-20T03:02:52","modified_gmt":"2023-09-20T11:02:52","slug":"news-16682","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/09\/20\/news-16682\/","title":{"rendered":"Uncursing the ncurses: Memory corruption vulnerabilities found in library"},"content":{"rendered":"<p><strong>Credit to Author: Microsoft Threat Intelligence| Date: Thu, 14 Sep 2023 11:30:00 +0000<\/strong><\/p>\n<p>Microsoft has discovered a set of memory corruption vulnerabilities in a library called <a href=\"https:\/\/invisible-island.net\/ncurses\/\"><em>ncurses<\/em><\/a>, which provides APIs that support text-based user interfaces (TUI). Released in 1993, the <em>ncurses<\/em> library is commonly used by various programs on Portable Operating System Interface (POSIX) operating systems, including Linux, macOS, and FreeBSD. Using environment variable poisoning, attackers could chain these vulnerabilities to elevate privileges and run code in the targeted program\u2019s context or perform other malicious actions.<\/p>\n<p>One of the most <a href=\"https:\/\/msrc.microsoft.com\/blog\/2019\/07\/a-proactive-approach-to-more-secure-code\/\">common vulnerabilities<\/a> found in modern software, memory corruption vulnerabilities, can allow attackers to gain unauthorized access to systems and data by modifying a program\u2019s memory. The impact of memory corruption vulnerabilities can range from leaking sensitive information and performing a simple denial-of-service (DoS) to elevating privileges and executing arbitrary code.<\/p>\n<p>Microsoft has shared these vulnerabilities with the relevant maintainers through&nbsp;<a href=\"https:\/\/www.microsoft.com\/msrc\/cvd?rtc=1\">Coordinated Vulnerability Disclosure<\/a>&nbsp;(CVD) via&nbsp;<a href=\"https:\/\/www.microsoft.com\/msrc\/msvr\">Microsoft Security Vulnerability Research<\/a>&nbsp;(MSVR). Fixes for these vulnerabilities, now identified as&nbsp;<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-29491\">CVE-2023-29491<\/a> with a CVSS score of 7.8, have been successfully deployed by the maintainers of the <em>ncurses<\/em> library, Thomas E. Dickey, in <a href=\"https:\/\/invisible-island.net\/ncurses\/NEWS.html#index-t20230408\">commit 20230408<\/a>. We wish to thank Thomas for his professionalism and collaboration in resolving those issues. We also worked with Apple on addressing the macOS-specific issues related to these vulnerabilities, and we thank Apple for their response and partnership. Lastly, during our analysis, a researcher named <a href=\"https:\/\/twitter.com\/gergely_kalman\">Gergely Kalman<\/a> engaged us privately over Twitter and contributed relevant use cases in addition to his own hand-coded fuzzer. We thank Gergely for his contributions in advancing this research and community engagement. Users of&nbsp;<em>ncurses<\/em>&nbsp;are encouraged to update their instances and systems.<\/p>\n<p>In this blog post, we share information about <em>ncurses<\/em> and the discovered memory corruption vulnerabilities. We also share this research to emphasize the importance of collaboration among researchers, industry partners, and the larger security community in the effort to improve security for all.<\/p>\n<h1 class=\"wp-block-heading\">Understanding terminal databases<\/h1>\n<p>Terminal databases are used by <em>ncurses<\/em> to be terminal-independent, meaning the capabilities of the terminal are not required to be known ahead-of-time. Terminal databases contain a set of capabilities that ultimately determine the control characters that are sent to the terminal (instructing the terminal to perform basic interactions) and describe various properties of the terminal. Terminal databases come in two major formats: the older and less commonly used termcap (terminal capability) format, and the improved terminfo format. Since terminals can differ on the types of control characters they expect and the operations they support, terminfo became necessary to address this discrepancy. &nbsp;In its textual syntax, capabilities are separated by commas, and come in three forms:<\/p>\n<ul>\n<li>Boolean capabilities: for example, the <em>am<\/em> capability specifies that the terminal supports automatic margins. In the terminfo textual syntax, Boolean capabilities appear by their name alone, without any additions.<\/li>\n<li>Numeric capabilities: for instance, the <em>cols<\/em> capability contains the number of columns in a line. In the terminfo textual syntax, numeric capabilities are recognized with a \u201c#\u201d symbol after their name, followed by the numeric value, such as \u201ccols#80\u201d.<\/li>\n<li>String capabilities: for instance, the <em>clear<\/em> capability describes the control character that should be transmitted to the terminal to clear the screen. In the terminfo textual syntax, string capabilities are recognized with a \u201c=\u201d symbol after their name, followed by the string value, such as \u201cclear=E[HE[2J\u201d.<\/li>\n<\/ul>\n<p>POSIX systems usually pre-ship with tens of such databases. It\u2019s possible to parse the capabilities of the current database with the <a href=\"https:\/\/linux.die.net\/man\/1\/infocmp\">infocmp<\/a> utility:<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-1.-infocmp-output-reveals-the-current-terminfo-database-along-with-its-capabilities-1024x559.webp\" alt=\"Screenshot of the infocmp utility code output\" class=\"wp-image-131563 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-1.-infocmp-output-reveals-the-current-terminfo-database-along-with-its-capabilities-1024x559.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-1.-infocmp-output-reveals-the-current-terminfo-database-along-with-its-capabilities-300x164.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-1.-infocmp-output-reveals-the-current-terminfo-database-along-with-its-capabilities-768x420.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-1.-infocmp-output-reveals-the-current-terminfo-database-along-with-its-capabilities.webp 1188w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-1.-infocmp-output-reveals-the-current-terminfo-database-along-with-its-capabilities-1024x559.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 1. infocmp output reveals the current terminfo database along with its capabilities<\/em><\/figcaption><\/figure>\n<h1 class=\"wp-block-heading\">Environment variable poisoning<\/h1>\n<p>Every modern operating system contains a set of environment variables that might affect the behavior of programs. A well-known technique for attackers is to manipulate those environment variables to cause programs to perform actions that would benefit their malicious purposes, hence \u201cpoisoning\u201d them. There have been multiple cases of environment variable poisoning in the past, for instance:<\/p>\n<ul>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-22809\">CVE-2023-22809<\/a>: users were allowed to elevate their privileges by poisoning the EDITOR environment variable (and similar other environment variables) and running <a href=\"https:\/\/linux.die.net\/man\/8\/sudoedit\">sudoedit<\/a>, which ultimately allowed them to edit arbitrary files.<\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-0563\">CVE-2022-0563<\/a>: the environment variable INPUTRC is indirectly used by the <a href=\"https:\/\/linux.die.net\/man\/1\/chsh\">chsh<\/a> and <a href=\"https:\/\/linux.die.net\/man\/1\/chfn\">chfn<\/a> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Setuid\">set-UID<\/a> Linux binaries. It was discovered that INPUTRC could be poisoned to dump the contents of sensitive files on the system.<\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-9934\">CVE-2020-9934<\/a>: the HOME environment variable could be poisoned to bypass Transparency, Consent, and Control (TCC) on macOS, thus gaining access to otherwise inaccessible sensitive data. We have found a <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-30970\">similar bypass<\/a> and <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/01\/10\/new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access\/\">reported it in 2021<\/a>.<\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-32369\">CVE&#8211;2023-32369<\/a>: the PERL5OPT and BASH_ENV environment variables could be poisoned to bypass <a href=\"https:\/\/developer.apple.com\/documentation\/security\/disabling_and_enabling_system_integrity_protection\">System Integrity Protection<\/a> (SIP) in macOS, thus elevating privileges. We have reported the vulnerability in <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2023\/05\/30\/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection\/\">April 2023<\/a>.<\/li>\n<li>The <a href=\"https:\/\/man7.org\/linux\/man-pages\/man8\/ld.so.8.html\">LD_PRELOAD<\/a> environment variable is commonly used in Linux for <a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/006\/\">code injection<\/a> purposes.<\/li>\n<li>The WINDIR and SYSTEMROOT environment variables have been used in the past on Windows for bypassing <a href=\"https:\/\/learn.microsoft.com\/windows\/security\/identity-protection\/user-account-control\/how-user-account-control-works\">User Account Control<\/a> (UAC).<\/li>\n<\/ul>\n<p>We have discovered that during initialization, the <em>ncurses<\/em> library searches for several environment variables, including an environment variable similarly named TERMINFO. When using terminfo databases, the program consults a fixed directory path unless a TERMINFO environment variable is present, which instead points the program to an alternative directory that contains compiled terminfo database files. Moreover, there are interesting common programs that use <em>ncurses<\/em>, most notably <a href=\"https:\/\/ss64.com\/osx\/top.html\"><em>top<\/em><\/a> on macOS, which is a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Setuid\">set-UID<\/a> binary (which runs with elevated privileges) that also uses the TERMINFO environment variable. Therefore, finding vulnerabilities in <em>ncurses<\/em> have the potential to affect many programs and possibly elevate privileges. It\u2019s noteworthy that the potential of poisoning the TERMINFO environment variable was highlighted several times in the past (for example, <a href=\"https:\/\/blog.trailofbits.com\/2023\/02\/16\/suid-logic-bug-linux-readline\/\">here<\/a>), but we have not seen comprehensive research on the topic of terminfo capabilities for offensive security purposes.<\/p>\n<p>For completeness, while this blog post focuses on how attackers could poison the TERMINFO environment variable to potentially exploit <em>ncurses<\/em> vulnerabilities, the HOME environment variable could have been similarly manipulated. Assuming the TERMINFO environment variable was never defined, <em>ncurses<\/em> looks for a <em>$HOME\/.terminfo<\/em> directory. This could have been abused by planting a <em>.terminfo<\/em> directory at an arbitrary path and poisoning the HOME environment variable, so the technique is quite similar.<\/p>\n<h1 class=\"wp-block-heading\">Stack-based terminfo capabilities<\/h1>\n<p>The terminfo capabilities are richer than they first appear. In a nutshell, capabilities are allowed to receive up to nine parameters (p1-p9) and use them in a stack data structure. Furthermore, capabilities work with a stack-like structure and instructions that can push (place an item in the stack) and pop (get an item from the stack) data, perform logical-arithmetic operations, and even support conditions. Here are some examples:<\/p>\n<figure class=\"wp-block-table table\">\n<table>\n<tbody>\n<tr>\n<td><strong>Operation<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>%{number}<\/strong><\/td>\n<td>Push a constant value to the stack.<\/td>\n<\/tr>\n<tr>\n<td><strong>%p<sub>x<\/sub><\/strong><\/td>\n<td>Push the parameter to the stack.<\/td>\n<\/tr>\n<tr>\n<td><strong>%+, %-, %*, %\/, %m<\/strong><\/td>\n<td>Pop two numbers from the stack and push the arithmetic result of the stack. Addition, substruction, multiplication, division, and remainder operations are supported.<\/td>\n<\/tr>\n<tr>\n<td><strong>%&amp;, %|, %^<\/strong><\/td>\n<td>Pop two numbers from the stack and push the bitwise result to the stack. Bitwise OR, AND, and XOR are supported.<\/td>\n<\/tr>\n<tr>\n<td><strong>%=, %&lt;, %&gt;, %A, %O<\/strong><\/td>\n<td>Pop two numbers and compare them, pushing the logical result back to the stack. The operations of comparison, less-than, and greater-than are supported, as well as logical AND and OR operations.<\/td>\n<\/tr>\n<tr>\n<td><strong>%l<\/strong><\/td>\n<td>Pop a string from the stack and push its length back to the stack.<\/td>\n<\/tr>\n<tr>\n<td><strong>%?[condition]%t[body<sub>1<\/sub>]%e[body<sub>2<\/sub>]%;<\/strong><\/td>\n<td>Perform a condition. The <em>%t<\/em> operation pops a numeric value from the stack and compares it to 0. The result determines what body to execute (the \u201celse\u201d body is optional and comes after the <em>%e<\/em> delimiter).<\/td>\n<\/tr>\n<tr>\n<td><strong>%s, %c<\/strong><\/td>\n<td>Pop a string from the stack and print it out to the terminal.<\/td>\n<\/tr>\n<tr>\n<td><strong>%d, %x<\/strong><\/td>\n<td>Pop a number from the stack and print it out to the terminal.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>While not Turing-complete, terminfo offers functionality that resembles very basic programming. Due to the complicated logic required by <em>ncurses<\/em>, security issues are expected to be found, and indeed there have been numerous <em>ncurses<\/em> vulnerabilities <a href=\"https:\/\/www.cvedetails.com\/vulnerability-list\/vendor_id-72\/product_id-38464\/GNU-Ncurses.html\">in the past<\/a>.<\/p>\n<p>It\u2019s interesting to note that while the version of <em>ncurses<\/em> we checked was 6.4 (latest at the time of research), the <em>ncurses<\/em> version on macOS was 5.7, but had several security-related patches <a href=\"https:\/\/github.com\/apple-oss-distributions\/ncurses\">maintained by Apple<\/a>. Nevertheless, all our findings are true for all <em>ncurses<\/em> versions, thus affecting both Linux and macOS.<\/p>\n<h1 class=\"wp-block-heading\">Discovered vulnerabilities<\/h1>\n<p>We discovered several memory corruption vulnerabilities through code auditing and <a href=\"https:\/\/owasp.org\/www-community\/Fuzzing\">fuzzing<\/a>. In addition to using our own <a href=\"https:\/\/github.com\/AFLplusplus\/AFLplusplus\">AFL++ based fuzzer<\/a>, the use cases contributed by <a href=\"https:\/\/twitter.com\/gergely_kalman\">Gergely Kalman<\/a> assisted in advancing this research.<\/p>\n<p>The discovered vulnerabilities could have been exploited by attackers to elevate privileges and run code within a targeted program\u2019s context. Nonetheless, gaining control of a program through exploiting memory corruption vulnerabilities requires a multi-stage attack. The vulnerabilities may have needed to be chained together for an attacker to elevate privileges, such as exploiting the stack information leak to gain arbitrary read primitives along with exploiting the heap overflow to obtain a write primitive.<\/p>\n<h2 class=\"wp-block-heading\">Stack information leak<\/h2>\n<p>The function that runs the capability logic is called <a href=\"https:\/\/linux.die.net\/man\/3\/tparm\"><em>tparm<\/em><\/a>. It is a C variadic function, meaning its number of arguments is not predefined (similarly to <em>printf<\/em>). The way variadic functions work in C is usually with the <a href=\"https:\/\/en.cppreference.com\/w\/c\/variadic\/va_list\"><em>va_list<\/em><\/a> structure and its macros, <a href=\"https:\/\/en.cppreference.com\/w\/c\/variadic\/va_start\"><em>va_start<\/em><\/a>, <a href=\"https:\/\/en.cppreference.com\/w\/c\/variadic\/va_arg\"><em>va_arg<\/em><\/a>, and <a href=\"https:\/\/en.cppreference.com\/w\/c\/variadic\/va_end\"><em>va_end<\/em><\/a>. The common scenario for such functions is to parse a format-string, conclude the number of parameters it expects, and use the <em>va_arg<\/em> macro iteratively to fetch those arguments. However, since an attacker can be in full control of the capability\u2019s string, we can make <em>tparm<\/em> call <em>va_arg<\/em> more times than it should, effectively leaking information from the call stack. Since we are allowed up to nine parameters, we can leak up to eight unintended arguments, including arguments from the program\u2019s stack:<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-2.-Demonstrating-an-information-leak-proof-of-concept-1024x585.webp\" alt=\"Screenshot of code\" class=\"wp-image-131565 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-2.-Demonstrating-an-information-leak-proof-of-concept-1024x585.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-2.-Demonstrating-an-information-leak-proof-of-concept-300x172.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-2.-Demonstrating-an-information-leak-proof-of-concept-768x439.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-2.-Demonstrating-an-information-leak-proof-of-concept.webp 1060w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-2.-Demonstrating-an-information-leak-proof-of-concept-1024x585.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 2. Demonstrating an information leak proof of concept<\/em><\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\">Parameterized string type confusion<\/h2>\n<p>The stack used by the <em>tparm<\/em> function is just an allocated array with 20 entries (referred as <em>STACK_FRAME<\/em> in the source code). Each frame can hold either a number (32-bit signed integer) or a string (pointer). To distinguish between a number and a string, the frame uses a Boolean value, which represents whether the data is numeric or not:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-3.-A-terminfo-stack-entry.webp\" alt=\"Screenshot of code\" class=\"wp-image-131566 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-3.-A-terminfo-stack-entry.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 3. A terminfo stack entry<\/em><\/figcaption><\/figure>\n<p>Certain push operations can be easily concluded, for example, when pushing an arithmetic result (such as <em>%+<\/em>) or a literal (<em>%{number}<\/em>). However, for parameters, things are different. There is no easy way to know ahead of time whether a parameter is expected to be a string or numeric. Therefore, <em>tparm<\/em> uses a heuristic\u2014it walks the capability string statically, and when it sees <em>%s<\/em> or <em>%l<\/em>, it concludes that the last parameter push was a string. This approach can be abused in multiple ways. For example, the macOS <em>top<\/em> utility calls <a href=\"https:\/\/linux.die.net\/man\/3\/mvcur\"><em>mvcur<\/em><\/a>, which in turn calls <em>tparm<\/em> with the <em>cup<\/em> capability, along with integer parameters. Treating the parameter as a string can trigger <a href=\"https:\/\/cplusplus.com\/reference\/cstring\/strlen\/\"><em>strlen<\/em><\/a> on the integer address:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-4.-Type-confusion-causes-strlen-to-be-invoked-on-low-addresses.webp\" alt=\"Screenshot of code\" class=\"wp-image-131567 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-4.-Type-confusion-causes-strlen-to-be-invoked-on-low-addresses.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 4. Type confusion causes strlen to be invoked on low addresses<\/em><\/figcaption><\/figure>\n<p>The crash we triggered occurs during an initialization of the <em>mvcur<\/em> operation, which assesses the \u201ccost\u201d of moving the cursor by invoking <em>tparm<\/em> with a constant, non-attacker-controlled value. We can improve the attack by using conditions\u2014if the parameter\u2019s value is not that constant value, then treat the parameter as a string, otherwise treat it as a number. Implementation with capabilities is straightforward:<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Test-1.1-1-1024x81.webp\" alt=\"A line of code reading cup=%?%p1%p2%&lt;%tE[%i%p1%d;%p2%dH%e%p1%s%;,\" class=\"wp-image-131599 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Test-1.1-1-1024x81.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Test-1.1-1-300x24.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Test-1.1-1-768x60.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Test-1.1-1-1536x121.webp 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Test-1.1-1-2048x161.webp 2048w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Test-1.1-1-1024x81.webp\"><\/figure>\n<p>This should be read as:<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Test-1.2-1-1024x67.webp\" alt=\"Screenshot stating &ldquo;IF p1 &lt; p2 THEN (use the usual &lsquo;cup&rsquo; capability) ELSE treat p1 is a string&rdquo; \" class=\"wp-image-131600 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Test-1.2-1-1024x67.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Test-1.2-1-300x20.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Test-1.2-1-768x50.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Test-1.2-1-1536x100.webp 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Test-1.2-1-2048x133.webp 2048w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Test-1.2-1-1024x67.webp\"><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-5.-Using-conditions-to-only-trigger-strlen-when-desired.webp\" alt=\"Screenshot of code\" class=\"wp-image-131568 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-5.-Using-conditions-to-only-trigger-strlen-when-desired.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 5. Using conditions to only trigger strlen when desired<\/em><\/figcaption><\/figure>\n<p>This primitive is quite powerful, as we can trigger <em>strlen<\/em> on an arbitrary number, effectively gaining a read primitive. Gaining a read primitive defeats the Address Space Layout Randomization (ASLR) security mechanism to leak address information and, if the binary happens to contain valuable secrets in its memory (like passwords), an attacker could potentially read those as well.<\/p>\n<h2 class=\"wp-block-heading\">Cost calculating padding off-by-one<\/h2>\n<p>We have mentioned <em>mvcur<\/em> uses a cost-calculating function to determine the costs of certain capabilities. The cost-calculation is done by the function <em>_nc_msec_cost<\/em>, and it assesses the number of milliseconds it takes to print out a capability, which is strongly derived by delays that could be a part of a capability. Delays are numeric literal values wrapped between \u2018<em>$&lt;<\/em>\u2019 and \u2018<em>&gt;<\/em>\u2019, and they even support a decimal point. We discovered an off-by-one error\u2014if the function sees a decimal point character, it skips one character assuming a digit, with an insufficient check after:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-6.-Off-by-one-bug-causes-the-string-to-be-assessed-beyond-its-boundaries.webp\" alt=\"Screenshot of code\" class=\"wp-image-131569 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-6.-Off-by-one-bug-causes-the-string-to-be-assessed-beyond-its-boundaries.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 6. Off-by-one bug causes the string to be assessed beyond its boundaries<\/em><\/figcaption><\/figure>\n<p>Therefore, it\u2019s possible to have the cost-calculating function read beyond the boundary of the capability string by closing the delay markup with a \u2018<em>&gt;<\/em>\u2019 character immediately following the decimal dot.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-7.-Reading-past-the-capability-string-limit-might-cause-a-segmentation-fault.webp\" alt=\"Screenshot of code\" class=\"wp-image-131570 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-7.-Reading-past-the-capability-string-limit-might-cause-a-segmentation-fault.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 7. Reading past the capability string limit might cause a segmentation fault<\/em><\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\">Heap out-of-bounds during terminfo database file parsing<\/h2>\n<p>The terminfo database files are binary files commonly compiled from the text representation with a utility called <a href=\"https:\/\/linux.die.net\/man\/1\/tic\"><em>tic<\/em><\/a>. The format of the database consists of the following parts:<\/p>\n<ul>\n<li>The header: contains a magic value, the size of the terminal name, the number of Boolean capabilities, the number of numeric capabilities, the number of string capabilities, and the total size of string capabilities.<\/li>\n<li>The terminal name<\/li>\n<li>The capabilities:\n<ul>\n<li>The Boolean capabilities<\/li>\n<\/ul>\n<ul>\n<li>The numeric capabilities<\/li>\n<\/ul>\n<ul>\n<li>The string capability offsets<\/li>\n<\/ul>\n<ul>\n<li>The string capabilities themselves<\/li>\n<\/ul>\n<\/li>\n<li>Optional extended entries (in the same order: Boolean, numeric, and strings)<\/li>\n<\/ul>\n<p>The optional extended entries are user-defined entries. We discovered that the function that performs that database parsing (<em>_nc_read_termtype<\/em>) can write beyond the boundaries of a heap-allocated chunk, as such:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-8.-Heap-out-of-bounds-due-to-realloc-call.webp\" alt=\"Screenshot of code\" class=\"wp-image-131571 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-8.-Heap-out-of-bounds-due-to-realloc-call.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 8. Heap out-of-bounds due to realloc call<\/em><\/figcaption><\/figure>\n<ol type=\"1\">\n<li>The code uses <a href=\"https:\/\/linux.die.net\/man\/3\/calloc\"><em>calloc<\/em><\/a> to allocate room for the strings. While <em>STRCOUNT<\/em> is a constant representing the maximum length of standard string capabilities (414), <em>str_count<\/em> is attacker-controlled and defined in the header of the attacker\u2019s terminfo file. This controls the size of the allocated chunk saved in <em>ptr-&gt;Strings<\/em>.<\/li>\n<li>After parsing all the standard capabilities, <em>ncurses<\/em> starts parsing the extended capabilities. The code assigns <em>ptr-&gt;num_Strings<\/em> to <em>STRCOUNT+ ext_str_count<\/em>, which might be <strong>smaller<\/strong> than the non-extended string count, effectively shrinking <em>ptr-&gt;Strings<\/em> with a <a href=\"https:\/\/linux.die.net\/man\/3\/realloc\"><em>realloc<\/em><\/a> call.<\/li>\n<li>Immediately after the <em>realloc<\/em> call, we can see <em>ptr-&gt;Strings<\/em> being written beyond its boundaries. Extended string capabilities are parsed and appended after standard string capabilities. The <em>convert_strings<\/em> function attempts to achieve this by storing data in <em>ptr-&gt;Strings + str_count<\/em>. However, while <em>ptr-&gt;Strings <\/em>was shrunk to <em>STRCOUNT+ext_str_count<\/em>,&nbsp; <em>str_count<\/em> is user-controlled and can be greater than <em>STRCOUNT<\/em>.<\/li>\n<li>If <em>str_count &gt;= STRCOUNT<\/em>, then <em>ptr-&gt;Strings + str_count + ext_str_count<\/em> will be greater than <em>ptr-&gt;Strings + STRCOUNT + ext_str_count <\/em>and <em>convert_strings<\/em> will cause a heap buffer overflow.<\/li>\n<\/ol>\n<h2 class=\"wp-block-heading\">Denial of service with canceled strings<\/h2>\n<p>The <em>ncurses<\/em> library has a notion of marking strings as \u201ccancelled\u201d. This is useful for terminfo database inheritance and skipping absent capabilities in general. As an example, the function <em>convert_strings<\/em> that converts strings from the terminfo database file format to the appropriate data structures in memory sets strings as <em>CANCELLED_STRING<\/em> if the index referring to them is negative.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-9.-convert_strings-setting-a-string-to-be-CANCELLED.webp\" alt=\"Screenshot of code\" class=\"wp-image-131572 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-9.-convert_strings-setting-a-string-to-be-CANCELLED.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 9. convert_strings setting a string to be CANCELLED<\/em><\/figcaption><\/figure>\n<p>The value of the <em>CANCELLED_STRING<\/em> constant is -1, and before processing, the <em>ncurses<\/em> codebase looks for these strings and converts them to <em>ABSENT_STRING<\/em> (constant 0). Unfortunately, it does so only for ordinary strings; extended strings do not get that treatment. Specifically, a heuristic determines that strings that begin with the \u201ck\u201d character should be treated as keypad functionality. This allows an attacker to specify an extended string in a way that will make <em>ncurses<\/em> dereference -1 (0xFFFFFFFFFFFFFFFF):<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-10.-ncurses-dereferencing-1-when-attempting-to-parse-a-cancelled-string-for-keypad-functionality.webp\" alt=\"Screenshot of code\" class=\"wp-image-131573 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-10.-ncurses-dereferencing-1-when-attempting-to-parse-a-cancelled-string-for-keypad-functionality.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 10. ncurses dereferencing -1 when attempting to parse a cancelled string for keypad functionality<\/em><\/figcaption><\/figure>\n<h1 class=\"wp-block-heading\">Protection and detection with Microsoft Defender for Endpoint<\/h1>\n<p>While organizational devices and networks may become increasingly secure, attackers continue to exploit unpatched vulnerabilities and misconfigurations as a vector to access sensitive systems and information. Exploiting vulnerabilities in the <em>ncurses<\/em> library could have notable consequences for users, allowing attackers to perform malicious actions like elevating privileges to run code in a targeted program\u2019s context and access or modify valuable data and resources. Responding to the evolving threat landscape requires us to expand our expertise across devices and platforms as part of our commitment to continuously improve security <em>from<\/em> Microsoft, not just <em>for<\/em> Microsoft.<\/p>\n<p>This case displays how responsible vulnerability disclosure and collaborative research informs our comprehensive protection capabilities across platforms. <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-vulnerability-management\/defender-vulnerability-management?view=o365-worldwide\">Microsoft Defender Vulnerability Management<\/a> is able to quickly discover and remediate such vulnerabilities on both Linux and macOS. Additionally, <a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/endpoint-defender\">Microsoft Defender for Endpoint<\/a> has similar detections for potential abuse of terminfo databases for set-UID binaries, such as macOS\u2019s <a href=\"https:\/\/ss64.com\/osx\/top.html\"><em>top<\/em><\/a>:<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-11.-Microsoft-Defender-for-Endpoint-detecting-suspicious-TERMINFO-use-1024x572.webp\" alt=\"Screenshot of code\" class=\"wp-image-131574 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-11.-Microsoft-Defender-for-Endpoint-detecting-suspicious-TERMINFO-use-1024x572.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-11.-Microsoft-Defender-for-Endpoint-detecting-suspicious-TERMINFO-use-300x168.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-11.-Microsoft-Defender-for-Endpoint-detecting-suspicious-TERMINFO-use-768x429.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-11.-Microsoft-Defender-for-Endpoint-detecting-suspicious-TERMINFO-use-336x189.webp 336w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-11.-Microsoft-Defender-for-Endpoint-detecting-suspicious-TERMINFO-use-189x106.webp 189w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-11.-Microsoft-Defender-for-Endpoint-detecting-suspicious-TERMINFO-use-418x232.webp 418w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-11.-Microsoft-Defender-for-Endpoint-detecting-suspicious-TERMINFO-use.webp 1471w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/09\/Figure-11.-Microsoft-Defender-for-Endpoint-detecting-suspicious-TERMINFO-use-1024x572.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 11. Microsoft Defender for Endpoint detecting suspicious TERMINFO use<\/em><\/figcaption><\/figure>\n<p>After discovering the vulnerabilities in the <em>ncurses<\/em> library, we worked with the maintainer, Thomas E. Dickey, and Apple to ensure the issues were resolved across platforms. Additionally, this case displays the value of community engagement to improve security for all as researcher Gergely Kalman\u2019s use case contributions assisted our research efforts. We wish to again thank Thomas and the Apple product security team for their efforts and collaboration in addressing <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-29491\">CVE-2023-29491<\/a>, as well as Gergely for his contributions in furthering this research.<\/p>\n<p>As the threat landscape continues to evolve and threats across all platforms continue to grow, Microsoft strives to continuously secure users\u2019 computing experiences, regardless of the platform or device in use. We will continue to work with the security community to share vulnerability discoveries and threat intelligence in the effort to build better protection for all.<\/p>\n<p><strong>Jonathan Bar Or, Emanuele Cozzi, Michael Pearse<\/strong><\/p>\n<p><em>Microsoft Threat Intelligence team<\/em><\/p>\n<h2 class=\"wp-block-heading\">References<\/h2>\n<ul>\n<li><a href=\"https:\/\/invisible-island.net\/ncurses\/\">https:\/\/invisible-island.net\/ncurses\/<\/a><\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-29491\">https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-29491<\/a><\/li>\n<li><a href=\"https:\/\/invisible-island.net\/ncurses\/NEWS.html#index-t20230408\">https:\/\/invisible-island.net\/ncurses\/NEWS.html#index-t20230408<\/a><\/li>\n<li><a href=\"https:\/\/twitter.com\/gergely_kalman\">https:\/\/twitter.com\/gergely_kalman<\/a><\/li>\n<li><a href=\"https:\/\/linux.die.net\/man\/1\/infocmp\">https:\/\/linux.die.net\/man\/1\/infocmp<\/a><\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-22809\">https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-22809<\/a><\/li>\n<li><a href=\"https:\/\/linux.die.net\/man\/8\/sudoedit\">https:\/\/linux.die.net\/man\/8\/sudoedit<\/a><\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-0563\">https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-0563<\/a><\/li>\n<li><a href=\"https:\/\/linux.die.net\/man\/1\/chsh\">https:\/\/linux.die.net\/man\/1\/chsh<\/a><\/li>\n<li><a href=\"https:\/\/linux.die.net\/man\/1\/chfn\">https:\/\/linux.die.net\/man\/1\/chfn<\/a><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Setuid\">https:\/\/en.wikipedia.org\/wiki\/Setuid<\/a><\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-9934\">https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-9934<\/a><\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-30970\">https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-30970<\/a><\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-32369\">https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-32369<\/a><\/li>\n<li><a href=\"https:\/\/developer.apple.com\/documentation\/security\/disabling_and_enabling_system_integrity_protection\">https:\/\/developer.apple.com\/documentation\/security\/disabling_and_enabling_system_integrity_protection<\/a><\/li>\n<li><a href=\"https:\/\/man7.org\/linux\/man-pages\/man8\/ld.so.8.html\">https:\/\/man7.org\/linux\/man-pages\/man8\/ld.so.8.html<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/006\/\">https:\/\/attack.mitre.org\/techniques\/T1574\/006\/<\/a><\/li>\n<li><a href=\"https:\/\/ss64.com\/osx\/top.html\">https:\/\/ss64.com\/osx\/top.html<\/a><\/li>\n<li><a href=\"https:\/\/blog.trailofbits.com\/2023\/02\/16\/suid-logic-bug-linux-readline\/\">https:\/\/blog.trailofbits.com\/2023\/02\/16\/suid-logic-bug-linux-readline\/<\/a><\/li>\n<li><a href=\"https:\/\/www.cvedetails.com\/vulnerability-list\/vendor_id-72\/product_id-38464\/GNU-Ncurses.html\">https:\/\/www.cvedetails.com\/vulnerability-list\/vendor_id-72\/product_id-38464\/GNU-Ncurses.html<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/apple-oss-distributions\/ncurses\">https:\/\/github.com\/apple-oss-distributions\/ncurses<\/a><\/li>\n<li><a href=\"https:\/\/owasp.org\/www-community\/Fuzzing\">https:\/\/owasp.org\/www-community\/Fuzzing<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/AFLplusplus\/AFLplusplus\">https:\/\/github.com\/AFLplusplus\/AFLplusplus<\/a><\/li>\n<li><a href=\"https:\/\/linux.die.net\/man\/3\/tparm\">https:\/\/linux.die.net\/man\/3\/tparm<\/a><\/li>\n<li><a href=\"https:\/\/en.cppreference.com\/w\/c\/variadic\/va_list\">https:\/\/en.cppreference.com\/w\/c\/variadic\/va_list<\/a><\/li>\n<li><a href=\"https:\/\/en.cppreference.com\/w\/c\/variadic\/va_start\">https:\/\/en.cppreference.com\/w\/c\/variadic\/va_start<\/a><\/li>\n<li><a href=\"https:\/\/en.cppreference.com\/w\/c\/variadic\/va_arg\">https:\/\/en.cppreference.com\/w\/c\/variadic\/va_arg<\/a><\/li>\n<li><a href=\"https:\/\/en.cppreference.com\/w\/c\/variadic\/va_end\">https:\/\/en.cppreference.com\/w\/c\/variadic\/va_end<\/a><\/li>\n<li><a href=\"https:\/\/linux.die.net\/man\/3\/mvcur\">https:\/\/linux.die.net\/man\/3\/mvcur<\/a><\/li>\n<li><a href=\"https:\/\/cplusplus.com\/reference\/cstring\/strlen\/\">https:\/\/cplusplus.com\/reference\/cstring\/strlen\/<\/a><\/li>\n<li><a href=\"https:\/\/linux.die.net\/man\/1\/tic\">https:\/\/linux.die.net\/man\/1\/tic<\/a><\/li>\n<li><a href=\"https:\/\/linux.die.net\/man\/3\/calloc\">https:\/\/linux.die.net\/man\/3\/calloc<\/a><\/li>\n<li><a href=\"https:\/\/linux.die.net\/man\/3\/realloc\">https:\/\/linux.die.net\/man\/3\/realloc<\/a><\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">Further reading<\/h2>\n<p>For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: <a href=\"https:\/\/aka.ms\/threatintelblog\">https:\/\/aka.ms\/threatintelblog<\/a>. <\/p>\n<p>To get notified about new publications and to join discussions on social media, follow us on Twitter at <a href=\"https:\/\/twitter.com\/MsftSecIntel\">https:\/\/twitter.com\/MsftSecIntel<\/a>.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/14\/uncursing-the-ncurses-memory-corruption-vulnerabilities-found-in-library\/\">Uncursing the ncurses: Memory corruption vulnerabilities found in library<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/14\/uncursing-the-ncurses-memory-corruption-vulnerabilities-found-in-library\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Microsoft Threat Intelligence| Date: Thu, 14 Sep 2023 11:30:00 +0000<\/strong><\/p>\n<p>A set of memory corruption vulnerabilities in the ncurses library could have allowed attackers to chain the vulnerabilities to elevate privileges and run code in the targeted program&#8217;s context or perform other malicious actions. <\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/09\/14\/uncursing-the-ncurses-memory-corruption-vulnerabilities-found-in-library\/\">Uncursing the ncurses: Memory corruption vulnerabilities found in library<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[],"class_list":["post-22952","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22952","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=22952"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22952\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=22952"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=22952"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=22952"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}