COMMAND

	Slurp news retriever remote format string vulnerability

SYSTEMS AFFECTED

	version 1.1.0

PROBLEM

	zillion[at]safemode.org [http://www.snosoft.com] found following.
	

	Slurp is an advanced passive NNTP client for UNIX. It will connect to  a
	remote NNTP server and retrieve articles in a specified  set  of  Usenet
	newsgroups that have arrived after  a  particular  date  (typically  the
	last time it was invoked) for processing by your local  news  system  or
	forwarding on via UUCP to another  news  system.  It  replaces  nntpxfer
	from the NNTP 1.5.12 reference implementation and nntpget from  the  INN
	distribution.
	

	This application insecurely syslogs error messages  retrieved  from  the
	NNTP server to which it is connected. The responsible code  that  causes
	this security issue:
	

	

	 log_doit (int sysflag, const char *fmt, va_list ap)

	        {

	

	        ...snip snip...

	

	 #ifdef SYSLOG

	                if (!debug_flag)

	                        syslog (LOG_ERR, buf);

	        ...snip snip...

	

	        }

	

	

	The FreeBSD port of this application was compiled  with  syslog  and  is
	therefor affected. This format string can easily be triggered.  To  find
	out you have a vulnerable slurp, connect to this:
	

	

	 perl -e \'print \"200 Hello brother \\n666 %x%x%x\\n\'\" | nc -l -p 119

	

	

	Then check /var/log/messages for something like:
	

	

	 Jun  5 05:10:22 yada slurp[39926]: do_newnews: NNTP protocol error:

	 got \'666 bfbff4f8804bc1bbfbff51c\'

	

	

	

	 Impact

	 ======

	

	Malicious server owners can use this vulnerability to  execute  code  on
	affected systems.

SOLUTION

	Nothing yet.