home | about

format string vulnerability
Work in Progress

Summary

Premise

  • program prints user-supplied string directly as format argument
  • eg. printf(buf) instead of printf("%s", buf)

Attack

  • attacker crafts input containing format specifiers (%p, %x, %s, %n`)
  • %x/%s can leak stack memory
  • %n writes number of bytes printed into an address - can be abused to overwrite memory
  • %i$x can also be used, where i specifies the would be ith parameter

usually %p is used preferably over %x since it assumes its printing a pointer, it formats the value with the 0x prefix

Attacker’s goals

  • read sensitive memory -> confidentiality
  • crash program -> execution integrity
  • overwrite variables -> integrity

Defense

  • avoid untrusted input as the format string, use printf("hello world"), printf("%s", buf)
  • use safer IO wrappers or languages that handle formatting safely
  • static code analysis and compiler warnings (enable -Wformat/-Wformat-security)

Concept

Format string vulnerability

  • exploits implemetation bug
  • more paramters expected than provided
c
int val = 1205;
printf("%x %x", val, val);
// out: 4b5 4b5
...val=1205parameter3val=1205parameter2"%x%x"parameter1rafp$rbplocalvariables$rsp
c
int val = 1205;
printf("%x %x", val); // insufficient paramters
// out: 4b5 5659b000
...parameter3val=1205parameter2"%x%x"parameter1rafp$rbplocalvariables$rsp

Testing

  • security testing to discover potential attacks
  • white-box - tester has access to source code
  • black-box - tester doesn’t have access to source code
  • grey-box - combination of both
  • fuzzing -> test malformed inputs to discover vulnerability
  • undocumented access points(easter eggs)
    • hidden backdoor for testing
    • may mistakenly remain in the final production program
    • becomes a backdoor for attackers

Application