nn remote format string vulnerability

[zillion <zillion () snosoft com>]

====================================================================
               Safemode.org security advisory: nn
====================================================================


Package:  nn
Version:  6.6.3 or prior
Date:     28/06/2002
Issue:    Remote format string
Risk:     High
Credits:  zillion[at]safemode.org
          http://www.safemode.org

The Unix newsreader nn is a popular command-line utility that can
be used to access NNTP servers. Unfortunately this news client
insecurely uses server input in a format string to print error
messages on the clients terminal.


The impact:
====================================================================

Malicious server owners can use this vulnerability to execute code
on systems that are connected with affected clients.


Technical details:
====================================================================

A server response such as this can be used to trigger this issue:

100 AAAABBBB%10\$x%11\$x

If such a response is received,  the nn client will display the
following:

100 AAAABBBB4141414142424242

The problem is that the following function is being called with
nn_exitmsg(1, line) in the nntp.c file

void nn_exitmsg(int n, char *fmt,...)
{
    va_list     ap;

    va_start(ap, fmt);
    vprintf(fmt, ap);
    putchar(NL);
    va_end(ap);

    nn_exit(n);
    /*NOTREACHED*/
}



The fix information:
====================================================================

The developer fixed this vulnerability in NN version 6.6.4, which can
be downloaded from here:

http://www.nndev.org/

Additionally, this vulnerability was fixed some time ago in the
FreeBSD ports collection (around June 18).


Greets:
====================================================================

All @snosoft.com