nn remote format string vulnerabilityFrom: zillion (email@example.com)
- Previous message: Paul Szabo: "Re: Acrobat reader 5.05 temp file insecurity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 4 Jul 2002 05:48:27 -0400 (EDT) From: zillion <firstname.lastname@example.org> To: <email@example.com>
Safemode.org security advisory: nn
Version: 6.6.3 or prior
Issue: Remote format string
The Unix newsreader nn is a popular command-line utility that can
be used to access NNTP servers. Unfortunately this news client
insecurely uses server input in a format string to print error
messages on the clients terminal.
Malicious server owners can use this vulnerability to execute code
on systems that are connected with affected clients.
A server response such as this can be used to trigger this issue:
If such a response is received, the nn client will display the
The problem is that the following function is being called with
nn_exitmsg(1, line) in the nntp.c file
void nn_exitmsg(int n, char *fmt,...)
The fix information:
The developer fixed this vulnerability in NN version 6.6.4, which can
be downloaded from here:
Additionally, this vulnerability was fixed some time ago in the
FreeBSD ports collection (around June 18).