nn remote format string vulnerability

From: zillion (zillion@snosoft.com)
Date: 07/04/02


Date: Thu, 4 Jul 2002 05:48:27 -0400 (EDT)
From: zillion <zillion@snosoft.com>
To: <bugtraq@securityfocus.com>


====================================================================
               Safemode.org security advisory: nn
====================================================================

Package: nn
Version: 6.6.3 or prior
Date: 28/06/2002
Issue: Remote format string
Risk: High
Credits: zillion[at]safemode.org
          http://www.safemode.org

The Unix newsreader nn is a popular command-line utility that can
be used to access NNTP servers. Unfortunately this news client
insecurely uses server input in a format string to print error
messages on the clients terminal.

The impact:
====================================================================

Malicious server owners can use this vulnerability to execute code
on systems that are connected with affected clients.

Technical details:
====================================================================

A server response such as this can be used to trigger this issue:

100 AAAABBBB%10\$x%11\$x

If such a response is received, the nn client will display the
following:

100 AAAABBBB4141414142424242

The problem is that the following function is being called with
nn_exitmsg(1, line) in the nntp.c file

void nn_exitmsg(int n, char *fmt,...)
{
    va_list ap;

    va_start(ap, fmt);
    vprintf(fmt, ap);
    putchar(NL);
    va_end(ap);

    nn_exit(n);
    /*NOTREACHED*/
}

The fix information:
====================================================================

The developer fixed this vulnerability in NN version 6.6.4, which can
be downloaded from here:

http://www.nndev.org/

Additionally, this vulnerability was fixed some time ago in the
FreeBSD ports collection (around June 18).

Greets:
====================================================================

All @snosoft.com



Relevant Pages