|
COMMAND newsreader nn remote format string vulnerability SYSTEMS AFFECTED nn 6.6.3 or prior PROBLEM In zillion [zillion@snosoft.com] Safemode.org security advisory : Malicious server owners can use this vulnerability to execute code on systems that are connected with affected clients. A server response such as this can be used to trigger this issue: 100 AAAABBBB%10\\$x%11\\$x If such a response is received, the nn client will display the following: 100 AAAABBBB4141414142424242 The problem is that the following function is being called with nn_exitmsg(1, line) in the nntp.c file void nn_exitmsg(int n, char *fmt,...) { va_list ap; va_start(ap, fmt); vprintf(fmt, ap); putchar(NL); va_end(ap); nn_exit(n); /*NOTREACHED*/ } SOLUTION The developer fixed this vulnerability in NN version 6.6.4, which can be downloaded from here: http://www.nndev.org/