Format String

From Guidance Share

Jump to: navigation, search

Contents

Description

Format string problems occur when a user has the ability to control or write completely the format string used to format data in the printf style family of C/C++ functions.

Applies To

  • Language: C, C++, Assembly
  • Platform: Any

Example

The following example is exploitable, due to the printf() call in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple.

#include <stdio.h>
void printWrapper(char *string) { 
printf(string);
}

int main(int argc, char **argv) { 
char buf[5012]; 
memcpy(buf, argv[1], 5012); 
printWrapper(argv[1]); 
return (0);
}

Impact

  • Confidentially: Format string problems allow for information disclosure which can severely simplify exploitation of the program.
  • Access Control: Format string problems can result in the execution of arbitrary code.

Vulnerabilities

  • Unchecked use of %n operator in a format string
  • Unvalidated user input used in one of the printf family of functions without a predetermined format string

Countermeasures

  • Requirements specification: Choose a language which is not subject to this flaw.
  • Implementation: Ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings.
  • Build: Heed the warnings of compilers and linkers, since they may alert you to improper usage.

Vulnerability Patterns

How Tos

Personal tools