Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (News)  >   nn Vendors:
'nn' News Reader Format String Hole Lets Remote Malicious News Server Execute Arbitrary Code on the Client
SecurityTracker Alert ID:  1004708
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 4 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.6.3 and prior
Description:   A vulnerability was reported in the 'nn' news reader client software. A remote server may be able to cause arbitrary code to be executed on the client.

It is reported that news client uses server-supplied input in a format string to print error messages on the client terminal.

A demonstration exploit server response is provided:

100 AAAABBBB%10\$x%11\$x

The vulnerability reportedly exists in an unsafe nn_existmsg() call in the nntp.c file.

Impact:   A remote user with control of a news server can cause arbitrary code to be executed on the client when the client connects to the malicious news server.
Solution:   The vendor has released a fixed version (6.6.4), available at:

According to the report, this vulnerability was also fixed recently in the FreeBSD ports collection.

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  nn remote format string vulnerability

      security advisory: nn

Package:  nn
Version:  6.6.3 or prior
Date:     28/06/2002
Issue:    Remote format string
Risk:     High
Credits:  zillion[at]

The Unix newsreader nn is a popular command-line utility that can
be used to access NNTP servers. Unfortunately this news client
insecurely uses server input in a format string to print error
messages on the clients terminal.

The impact:

Malicious server owners can use this vulnerability to execute code
on systems that are connected with affected clients.

Technical details:

A server response such as this can be used to trigger this issue:

100 AAAABBBB%10\$x%11\$x

If such a response is received,  the nn client will display the

100 AAAABBBB4141414142424242

The problem is that the following function is being called with
nn_exitmsg(1, line) in the nntp.c file

void nn_exitmsg(int n, char *fmt,...)
    va_list     ap;

    va_start(ap, fmt);
    vprintf(fmt, ap);


The fix information:

The developer fixed this vulnerability in NN version 6.6.4, which can
be downloaded from here:

Additionally, this vulnerability was fixed some time ago in the
FreeBSD ports collection (around June 18).




Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC