[26057] in bugtraq
nn remote format string vulnerability
daemon@ATHENA.MIT.EDU (zillion)
Thu Jul 4 12:26:53 2002
Date: Thu, 4 Jul 2002 05:48:27 -0400 (EDT)
From: zillion <zillion@snosoft.com>
To: <bugtraq@securityfocus.com>
Message-ID: <20020704054411.B1100-100000@mail.snosoft.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
====================================================================
Safemode.org security advisory: nn
====================================================================
Package: nn
Version: 6.6.3 or prior
Date: 28/06/2002
Issue: Remote format string
Risk: High
Credits: zillion[at]safemode.org
http://www.safemode.org
The Unix newsreader nn is a popular command-line utility that can
be used to access NNTP servers. Unfortunately this news client
insecurely uses server input in a format string to print error
messages on the clients terminal.
The impact:
====================================================================
Malicious server owners can use this vulnerability to execute code
on systems that are connected with affected clients.
Technical details:
====================================================================
A server response such as this can be used to trigger this issue:
100 AAAABBBB%10\$x%11\$x
If such a response is received, the nn client will display the
following:
100 AAAABBBB4141414142424242
The problem is that the following function is being called with
nn_exitmsg(1, line) in the nntp.c file
void nn_exitmsg(int n, char *fmt,...)
{
va_list ap;
va_start(ap, fmt);
vprintf(fmt, ap);
putchar(NL);
va_end(ap);
nn_exit(n);
/*NOTREACHED*/
}
The fix information:
====================================================================
The developer fixed this vulnerability in NN version 6.6.4, which can
be downloaded from here:
http://www.nndev.org/
Additionally, this vulnerability was fixed some time ago in the
FreeBSD ports collection (around June 18).
Greets:
====================================================================
All @snosoft.com
