Software: Xnews Usenet newsreader Versions affected: Xnews 5.04.25 (April 2002) and Xnews 2006.06.28 test build. All prior versions likely affected. Developer: Luu Tran (xnews.newsguy.com — defunct) Status: Abandoned software, no vendor to notify, proceed directly to public disclosure.
Vulnerability type: Stack-based buffer overflow via SEH overwrite Attack vector: Remote, unauthenticated. Delivered via a crafted NNTP article posted to any newsgroup the victim subscribes to. No user interaction required beyond the newsreader fetching group headers (automatic on group refresh).
Root cause: The XOVER response parser (ParseXOVER) copies article header fields — specifically the References: and Subject: fields — into fixed-size buffers without bounds checking. The Delphi ShortString type used has a maximum of 255 bytes. Input exceeding this length overwrites the SEH chain on the stack.
Exploitability:
- No ASLR (fixed image base 0x10000)
- No DEP (stack is executable)
- No SafeSEH
- lstrcpyA (unbounded string copy) confirmed in import table
- 2725 POP/POP/RET gadgets identified at fixed addresses
- 55 JMP ESP gadgets identified at fixed addresses
- EIP control confirmed
Attack scenario: An attacker posts a single article to a newsgroup the victim reads. The References: header carries the overflow payload encoded as printable ASCII across fake Message-IDs. When the victim's Xnews fetches the group header list (XOVER), ParseXOVER processes the References: field, the buffer overflows, the SEH chain is overwritten, and shellcode executes — all before the user opens or selects any article.
CVSS 3.1 Base Score: 9.8 Critical AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H
Mitigation: Cease use of Xnews. No patch is available or expected.