Format string attack

From Wikipedia, the free encyclopedia

Format string attacks are a class of software vulnerability discovered around 1999, previously thought harmless. Format string attacks can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write back the number of bytes formatted to the same argument to printf(), assuming that the corresponding argument exists, and is of type int * .

This is a common vulnerability due to the fact that format bugs were previously thought harmless and resulted in vulnerabilities in many common tools. MITRE's CVE project list roughly 150 vulnerable programs.

Format string bugs most commonly appear when a programmer wishes to print a string containing user supplied data. The programmer may mistakenly write printf(buffer) instead of printf("%s", buffer). The first version interprets buffer as a format string, and parses any formatting instructions it may contain. The second version simply prints a string to the screen, as the programmer intended.

Format bugs arise because C's argument passing conventions are not type-safe. In particular, the varargs mechanism allows functions to accept any number of arguments (e.g. printf) by "popping" as many arguments off the call stack as they wish, trusting the early arguments to indicate how many additional arguments are to be popped, and of what types.

Format bugs were first noted in 1990 in the fuzz testing work done at the University of Wisconsin (see Miller, Fredriksen, So 1990). They called these bugs "interaction effects" and noted their presence when testing the C shell (csh).

The use of format string bugs as an attack vector was discovered by Tymm Twillman during a security audit of the ProFTPD daemon. The audit uncovered an snprintf directly passed user-generated data without a format string. Extensive tests with contrived arguments to printf-style functions showed that use of this for privilege escalation was actually possible. This led to the first posting in September 1999 on the BugTraq mailing list regarding this class of vulnerabilities, including a basic exploit.^[1] It was still several months, however, before the security community became aware of the full dangers of format string vulnerabilities as exploits for other software using this method began to surface.

1 See also
2 References
3 Footnotes
4 External links

[edit] See also

[edit] References

Robert C. Seacord: Secure Coding in C and C++. Addison Wesley, September, 2005. ISBN 0-321-33572-4
Tobias Klein: Buffer Overflows und Format-String-Schwachstellen, Dpunkt Verlag, ISBN 3-89864-192-9.
Crispin Cowan: Software Security for Open-Source Systems, Published by the IEEE Computer Society, IEEE SECURITY & PRIVACY, JANUARY/FEBRUARY 2003, http://computer.org/security
Barton Miller, Lars Fredriksen, Bryan So: An Empirical Study of the Reliability of UNIX Utilities, Communications of the ACM, vol. 33, no. 12 (December 1990). Also appears (in German translation) as Fatale Fehlerträchtigkeit: Eine empirische Studie zur Zuverlässigkeit von UNIX-Utilities, iX, March 1991. http://www.cs.wisc.edu/~bart/fuzz/
Crispin Cowan: FormatGuard: Automatic Protection From printf Format String Vulnerabilities, Proceedings of the 10th USENIX Security Symposium, August 2001. http://www.usenix.com/events/sec01/full_papers/cowanbarringer/cowanbarringer.pdf