TUCoPS :: Unix :: General
:: unix5512.htm
newsreader nn remote format string vulnerability
5th Jul 2002 [SBWID-5512]
COMMAND
newsreader nn remote format string vulnerability
SYSTEMS AFFECTED
nn 6.6.3 or prior
PROBLEM
In zillion [zillion@snosoft.com] Safemode.org security advisory :
Malicious server owners can use this vulnerability to execute code on
systems that are connected with affected clients.
A server response such as this can be used to trigger this issue:
100 AAAABBBB%10\\$x%11\\$x
If such a response is received, the nn client will display the
following:
100 AAAABBBB4141414142424242
The problem is that the following function is being called with
nn_exitmsg(1, line) in the nntp.c file
void nn_exitmsg(int n, char *fmt,...)
{
va_list ap;
va_start(ap, fmt);
vprintf(fmt, ap);
putchar(NL);
va_end(ap);
nn_exit(n);
/*NOTREACHED*/
}
SOLUTION
The developer fixed this vulnerability in NN version 6.6.4, which can
be downloaded from here:
http://www.nndev.org/