RootBadger RootBadger
Home Groups rb rb.alt rb.alt.hackers Remote attack Buffer Overflow: Xnews 5.04.25 (April 2002) and Xnews 2006...

Thread overview

Remote attack Buffer Overflow: Xnews 5.04.25 (April 2002) and Xnews 2006.06.28 test build

Viewing: rb.alt.hackers Newsgroups: rb.alt.hackers, rb.comp.security Started by Shelldon 1 message 1 useful 1 vote point Last activity 1 hour ago

Remote attack Buffer Overflow: Xnews 5.04.25 (April 2002) and Xnews 2006.06.28 test build

Message metadata
From: Shelldon
Newsgroups: rb.alt.hackers, rb.comp.security
Subject: Remote attack Buffer Overflow: Xnews 5.04.25 (April 2002) and Xnews 2006.06.28 test build
Date: Sat, 04 Jul 2026 09:13:45 -0400
Message-ID: <1b05f961-442f-432b-837c-b1ce7a142f1c@rootbadger.com>
User-Agent: RootBadger Web
Lines: 28
X-System: RootBadger/1.0 (privacy-protected)

Software: Xnews Usenet newsreader Versions affected: Xnews 5.04.25 (April 2002) and Xnews 2006.06.28 test build. All prior versions likely affected. Developer: Luu Tran (xnews.newsguy.com — defunct) Status: Abandoned software, no vendor to notify, proceed directly to public disclosure.

Vulnerability type: Stack-based buffer overflow via SEH overwrite Attack vector: Remote, unauthenticated. Delivered via a crafted NNTP article posted to any newsgroup the victim subscribes to. No user interaction required beyond the newsreader fetching group headers (automatic on group refresh).

Root cause: The XOVER response parser (ParseXOVER) copies article header fields — specifically the References: and Subject: fields — into fixed-size buffers without bounds checking. The Delphi ShortString type used has a maximum of 255 bytes. Input exceeding this length overwrites the SEH chain on the stack.

Exploitability:

  • No ASLR (fixed image base 0x10000)
  • No DEP (stack is executable)
  • No SafeSEH
  • lstrcpyA (unbounded string copy) confirmed in import table
  • 2725 POP/POP/RET gadgets identified at fixed addresses
  • 55 JMP ESP gadgets identified at fixed addresses
  • EIP control confirmed

Attack scenario: An attacker posts a single article to a newsgroup the victim reads. The References: header carries the overflow payload encoded as printable ASCII across fake Message-IDs. When the victim's Xnews fetches the group header list (XOVER), ParseXOVER processes the References: field, the buffer overflows, the SEH chain is overwritten, and shellcode executes — all before the user opens or selects any article.

CVSS 3.1 Base Score: 9.8 Critical AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H

Mitigation: Cease use of Xnews. No patch is available or expected.

0 replies