Support
Articles and Tutorials
Policy
FAQ
Glossary
Products
Sax2 NIDS
Sax2 Screenshots
Buy Now
White Papers
Awards
Download
Contact Us

Consulting:

Technical Support:

Sales:

General Information:

 
 

Format String
 

Abstract

Allowing an attacker to control a function's format string may result in a buffer overflow.

Description

Format string vulnerabilities occur when:

  1. Data enters the application from an untrusted source.
  2. The data is passed as the format string argument to a function like sprintf(), FormatMessageW(), or syslog().

Examples

Example 1

The following code copies a command line argument into a buffer using snprintf().

	int main(int argc, char **argv){
		char buf[128];
		...
		snprintf(buf,128,argv[1]);
	}

This code allows an attacker to view the contents of the stack and write to the stack using a command line argument containing a sequence of formatting directives. The attacker can read from the stack by providing more formatting directives, such as %x, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.) By using the %n formatting directive, the attacker can write to the stack, causing snprintf() to write the number of bytes output thus far to the specified argument (rather than reading a value from the argument, which is the intended behavior). A sophisticated version of this attack will use four staggered writes to completely control the value of a pointer on the stack.

Example 2

Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc:

	printf("%d %d %1$d %1$d\n", 5, 9);

This code produces the following output:

	5 9 5 5

It is also possible to use half-writes (%hn) to accurately control arbitrary DWORDS in memory, which greatly reduces the complexity needed to execute an attack that would otherwise require four staggered writes, such as the one mentioned in Example 1.

Example 3

Simple format string vulnerabilities often result from seemingly innocuous shortcuts. The use of some such shortcuts is so ingrained that programmers might not even realize that the function they are using expects a format string argument.

For example, the syslog() function is sometimes used as follows:

	...
	syslog(LOG_ERR, cmdBuf);
	...

Because the second parameter to syslog() is a format string, any formatting directives included in cmdBuf are interpreted as described in Example 1.

The following code shows a correct usage of syslog():

	...
	syslog(LOG_ERR, "%s", cmdBuf);
	...