SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (News)  >   nn Vendors:   nndev.org
'nn' News Reader Format String Hole Lets Remote Malicious News Server Execute Arbitrary Code on the Client
SecurityTracker Alert ID:  1004708
SecurityTracker URL:  http://securitytracker.com/id/1004708
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 4 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.6.3 and prior
Description:   A vulnerability was reported in the 'nn' news reader client software. A remote server may be able to cause arbitrary code to be executed on the client.

It is reported that news client uses server-supplied input in a format string to print error messages on the client terminal.

A demonstration exploit server response is provided:

100 AAAABBBB%10\$x%11\$x

The vulnerability reportedly exists in an unsafe nn_existmsg() call in the nntp.c file.

Impact:   A remote user with control of a news server can cause arbitrary code to be executed on the client when the client connects to the malicious news server.
Solution:   The vendor has released a fixed version (6.6.4), available at:

http://www.nndev.org/

According to the report, this vulnerability was also fixed recently in the FreeBSD ports collection.

Vendor URL:  nndev.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  nn remote format string vulnerability





====================================================================
               Safemode.org security advisory: nn
====================================================================


Package:  nn
Version:  6.6.3 or prior
Date:     28/06/2002
Issue:    Remote format string
Risk:     High
Credits:  zillion[at]safemode.org
          http://www.safemode.org

The Unix newsreader nn is a popular command-line utility that can
be used to access NNTP servers. Unfortunately this news client
insecurely uses server input in a format string to print error
messages on the clients terminal.


The impact:
====================================================================

Malicious server owners can use this vulnerability to execute code
on systems that are connected with affected clients.


Technical details:
====================================================================

A server response such as this can be used to trigger this issue:

100 AAAABBBB%10\$x%11\$x

If such a response is received,  the nn client will display the
following:

100 AAAABBBB4141414142424242

The problem is that the following function is being called with
nn_exitmsg(1, line) in the nntp.c file

void nn_exitmsg(int n, char *fmt,...)
{
    va_list     ap;

    va_start(ap, fmt);
    vprintf(fmt, ap);
    putchar(NL);
    va_end(ap);

    nn_exit(n);
    /*NOTREACHED*/
}



The fix information:
====================================================================

The developer fixed this vulnerability in NN version 6.6.4, which can
be downloaded from here:

http://www.nndev.org/

Additionally, this vulnerability was fixed some time ago in the
FreeBSD ports collection (around June 18).


Greets:
====================================================================

All @snosoft.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC