Content deleted Content added
→Prevention: added compilers to describe thar paragraph only describe compilers prevention methods |
→Details: added <ref name="team_teso">http://julianor.tripod.com/bc/formatstring-1.2.pdf</ref> |
||
Line 2:
==Details==
A typical exploit uses a combination of these techniques to take control of [[Instruction pointer]] (IP) of a process <ref name="team_teso">http://julianor.tripod.com/bc/formatstring-1.2.pdf</ref>, for example forcing a program to overwrite the address of a library function or the return address on the stack with a pointer to some malicious [[shellcode]]. The padding parameters to format specifiers are used to control the number of bytes output and the <code>%x</code> token is used to pop bytes from the stack until the beginning of the format string itself is reached. The start of the format string is crafted to contain the address that the <code>%n</code> format token can then overwrite with the address of the malicious code to execute.
This is a common vulnerability because format bugs were previously thought harmless and resulted in vulnerabilities in many common tools. [[Mitre Corporation|MITRE's]] CVE project lists roughly 500 vulnerable programs as of June 2007, and a trend analysis ranks it the 9th most-reported vulnerability type between 2001 and 2006.<ref>{{cite web|url=http://cwe.mitre.org/documents/vuln-trends/index.html |title=Vulnerability Type Distributions in CVE |date=May 22, 2007}}</ref>
| |||