'nn' News Reader Format String Hole Lets Remote Malicious News Server Execute Arbitrary Code on the Client
SecurityTracker Alert ID: 1004708|
SecurityTracker URL: http://securitytracker.com/id/1004708
(Links to External Site)
Date: Jul 4 2002
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 6.6.3 and prior|
A vulnerability was reported in the 'nn' news reader client software. A remote server may be able to cause arbitrary code to be executed on the client.|
It is reported that news client uses server-supplied input in a format string to print error messages on the client terminal.
A demonstration exploit server response is provided:
The vulnerability reportedly exists in an unsafe nn_existmsg() call in the nntp.c file.
A remote user with control of a news server can cause arbitrary code to be executed on the client when the client connects to the malicious news server.|
The vendor has released a fixed version (6.6.4), available at:|
According to the report, this vulnerability was also fixed recently in the FreeBSD ports collection.
Vendor URL: nndev.org/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
Subject: nn remote format string vulnerability|
Safemode.org security advisory: nn
Version: 6.6.3 or prior
Issue: Remote format string
The Unix newsreader nn is a popular command-line utility that can
be used to access NNTP servers. Unfortunately this news client
insecurely uses server input in a format string to print error
messages on the clients terminal.
Malicious server owners can use this vulnerability to execute code
on systems that are connected with affected clients.
A server response such as this can be used to trigger this issue:
If such a response is received, the nn client will display the
The problem is that the following function is being called with
nn_exitmsg(1, line) in the nntp.c file
void nn_exitmsg(int n, char *fmt,...)
The fix information:
The developer fixed this vulnerability in NN version 6.6.4, which can
be downloaded from here:
Additionally, this vulnerability was fixed some time ago in the
FreeBSD ports collection (around June 18).