====================================================================
Safemode.org security advisory: nn
====================================================================
Package: nn
Version: 6.6.3 or prior
Date: 28/06/2002
Issue: Remote format string
Risk: High
Credits: zillion[at]safemode.org
http://www.safemode.org
The Unix newsreader nn is a popular command-line utility that can
be used to access NNTP servers. Unfortunately this news client
insecurely uses server input in a format string to print error
messages on the clients terminal.
The impact:
====================================================================
Malicious server owners can use this vulnerability to execute code
on systems that are connected with affected clients.
Technical details:
====================================================================
A server response such as this can be used to trigger this issue:
100 AAAABBBB%10\$x%11\$x
If such a response is received, the nn client will display the
following:
100 AAAABBBB4141414142424242
The problem is that the following function is being called with
nn_exitmsg(1, line) in the nntp.c file
void nn_exitmsg(int n, char *fmt,...)
{
va_list ap;
va_start(ap, fmt);
vprintf(fmt, ap);
putchar(NL);
va_end(ap);
nn_exit(n);
/*NOTREACHED*/
}
The fix information:
====================================================================
The developer fixed this vulnerability in NN version 6.6.4, which can
be downloaded from here:
http://www.nndev.org/
Additionally, this vulnerability was fixed some time ago in the
FreeBSD ports collection (around June 18).
Greets:
====================================================================
All @snosoft.com
This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 09:17:29 PDT