|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: zillion (zillion
snosoft.com)Date: Thu Jul 04 2002 - 04:48:27 CDT
====================================================================
Safemode.org security advisory: nn
====================================================================
Package: nn
Version: 6.6.3 or prior
Date: 28/06/2002
Issue: Remote format string
Risk: High
Credits: zillion[at]safemode.org
http://www.safemode.org
The Unix newsreader nn is a popular command-line utility that can
be used to access NNTP servers. Unfortunately this news client
insecurely uses server input in a format string to print error
messages on the clients terminal.
The impact:
====================================================================
Malicious server owners can use this vulnerability to execute code
on systems that are connected with affected clients.
Technical details:
====================================================================
A server response such as this can be used to trigger this issue:
100 AAAABBBB%10\$x%11\$x
If such a response is received, the nn client will display the
following:
100 AAAABBBB4141414142424242
The problem is that the following function is being called with
nn_exitmsg(1, line) in the nntp.c file
void nn_exitmsg(int n, char *fmt,...)
{
va_list ap;
va_start(ap, fmt);
vprintf(fmt, ap);
putchar(NL);
va_end(ap);
nn_exit(n);
/*NOTREACHED*/
}
The fix information:
====================================================================
The developer fixed this vulnerability in NN version 6.6.4, which can
be downloaded from here:
Additionally, this vulnerability was fixed some time ago in the
FreeBSD ports collection (around June 18).
Greets:
====================================================================
All snosoft.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]