[UNIX] NN Vulnerable to a Remote Format String Vulnerability
From: support@securiteam.comDate: 07/06/02
- Previous message: support@securiteam.com: "[NEWS] OpenSSH Challenge-Response Buffer Overflow (Update)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 6 Jul 2002 08:56:27 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
NN Vulnerable to a Remote Format String Vulnerability
------------------------------------------------------------------------
SUMMARY
The UNIX newsreader nn is a popular command-line utility that can be used
to access NNTP servers. Unfortunately, this news client insecurely uses
server input in a format string to print error messages on the client's
terminal.
DETAILS
Vulnerable systems:
* NN version 6.6.3 and prior
Immune systems:
* NN version 6.6.4
Impact:
Malicious server owners can use this vulnerability to execute code on
systems that are connected with affected clients.
Technical details:
A server response such as this can be used to trigger this issue:
100 AAAABBBB%10\$x%11\$x
If such a response is received, the nn client will display the following:
100 AAAABBBB4141414142424242
The problem is that the following function is being called with
nn_exitmsg(1, line) in the nntp.c file
void nn_exitmsg(int n, char *fmt,...)
{
va_list ap;
va_start(ap, fmt);
vprintf(fmt, ap);
putchar(NL);
va_end(ap);
nn_exit(n);
/*NOTREACHED*/
}
Fix information:
The developer fixed this vulnerability in NN version 6.6.4, which can be
downloaded from here:
<http://www.nndev.org/> http://www.nndev.org/
Additionally, this vulnerability was fixed some time ago in the FreeBSD
ports collection (around June 18).
ADDITIONAL INFORMATION
The information has been provided by <mailto:zillion@snosoft.com>
zillion.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] OpenSSH Challenge-Response Buffer Overflow (Update)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
