• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Stop wasting time looking for files and revisions. Connect your Gmail, DriveDropbox, and Slack accounts and in less than 2 minutes, Dokkio will automatically organize all your file attachments. Learn more and claim your free account.

View
 

Format String

Page history last edited by Robert Auger 10 years, 9 months ago

Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-6

 

 

Format String Attack

Format String Attacks alter the flow of an application by using string formatting library features to access other memory space. Vulnerabilities occur when user-supplied data are used directly as formatting string input for certain C/C++ functions (e.g. fprintf, printf, sprintf, setproctitle, syslog, ...).

If an attacker passes a format string consisting of printf conversion characters (e.g. "%f", "%p", "%n", etc.) as a parameter value to the web application, they may:

  • Execute arbitrary code on the server
  • Read values off the stack
  • Cause segmentation faults / software crashes

 

Format String attacks are related to other attacks in the Threat Classification: Buffer Overflows and Integer Overflows. All three are based in their ability to manipulate memory or its interpretation in a way that contributes to an attacker's goal.

 

 

Example

Let's assume that a web application has a parameter emailAddress, dictated by the user. The application prints the value of this variable by using the printf function:

 

     printf(emailAddress);

 

If the value sent to the emailAddress parameter contains conversion characters, printf will parse the conversion characters and use the additionally supplied corresponding arguments. If no such arguments actually exist, data from the stack will be used in accordance with the order expected by the printf function.

 

The possible uses of the Format String Attacks in such a case can be:

  • Read data from the stack:

 

If the output stream of the printf function is presented back to the attacker, he may read values on the stack by sending the conversion character "%x" (one or more times).

  • Read character strings from the process' memory:

 

If the output stream of the printf function is presented back to the attacker, he can read character strings at arbitrary memory locations by using the "%s" conversion character (and other conversion characters in order to reach specific locations).

  • Write an integer to locations in the process' memory:

 

By using the "%n" conversion character, an attacker may write an integer value to any location in memory. (e.g. overwrite important program flags that control access privileges, or overwrite return addresses on the stack, etc.)

 

 

References

"Analysis of format string bugs", By Andreas Thuemmel

[1] http://www.cs.cornell.edu/Courses/cs513/2005fa/paper.format-bug-analysis.pdf

 

"Format String Attacks", by Tim Newsham

[2] http://www.thenewsh.com/~newsham/format-string-attacks.pdf

 

"Exploiting Format String Vulnerabilities", By scut

[3] http://julianor.tripod.com/bc/formatstring-1.2.pdf

 

"Exploit for proftpd 1.2.0pre6"

[4] http://archives.neohapsis.com/archives/bugtraq/1999-q3/1009.html

 

"Format string input validation error in wu-ftpd site_exec() function"

[5] http://www.kb.cert.org/vuls/id/29823

 

Format string attack, Wikipedia

[6] http://en.wikipedia.org/wiki/Format_string_vulnerabilities

 

CWE-134: Uncontrolled Format String

[7] http://cwe.mitre.org/data/definitions/134.html

 

CAPEC-67: String Format Overflow in sys log()

[8] http://capec.mitre.org/data/definitions/67.html

 

WHID: Format String Attack

[9] http://whid.webappsec.org/whid-list/Format+String+Attack

Comments (0)

You don't have permission to comment on this page.