==================================================================== 
               Safemode.org security advisory: nn 
==================================================================== 

Package: nn 
Version: 6.6.3 or prior 
Date: 28/06/2002 
Issue: Remote format string 
Risk: High 
Credits: zillion[at]safemode.org 
          http://www.safemode.org 

The Unix newsreader nn is a popular command-line utility that can 
be used to access NNTP servers. Unfortunately this news client 
insecurely uses server input in a format string to print error 
messages on the clients terminal. 

The impact: 
==================================================================== 

Malicious server owners can use this vulnerability to execute code 
on systems that are connected with affected clients. 

Technical details: 
==================================================================== 

A server response such as this can be used to trigger this issue: 

100 AAAABBBB%10\$x%11\$x 

If such a response is received, the nn client will display the 
following: 

100 AAAABBBB4141414142424242 

The problem is that the following function is being called with 
nn_exitmsg(1, line) in the nntp.c file 

void nn_exitmsg(int n, char *fmt,...) 
{ 
    va_list ap; 

    va_start(ap, fmt); 
    vprintf(fmt, ap); 
    putchar(NL); 
    va_end(ap); 

    nn_exit(n); 
    /*NOTREACHED*/ 
} 

The fix information: 
==================================================================== 

The developer fixed this vulnerability in NN version 6.6.4, which can 
be downloaded from here: 

http://www.nndev.org/ 

Additionally, this vulnerability was fixed some time ago in the 
FreeBSD ports collection (around June 18). 

Greets: 
==================================================================== 

All @snosoft.com