Content deleted Content added
m →History: Skip redirect in piped link. |
m Reverted edit by 2402:8100:27A0:F555:D411:D1FF:FE3B:1F32 (talk) to last version by InternetArchiveBot |
||
| (5 intermediate revisions by 5 users not shown) | |||
Line 1:
{{Short description|Type of software vulnerability}}
{{Use dmy dates|date=August 2019|cs1-dates=y}}
'''Uncontrolled format string''' is a type of [[code injection]] [[software vulnerability|vulnerability]] discovered around 1989 that can be used in [[security exploit]]s.<ref name="CWE134"/> Originally thought harmless, format string exploits can be used to [[Crash (computing)|crash]] a program or to execute harmful code. The problem stems from the use of [[unchecked user input]] as the [[format string]] parameter in certain [[C (programming language)|C]] functions that perform formatting, such as <code>[[Printf|printf()]]</code>. A malicious user may use the <code>%s</code> and <code>%x</code> format tokens, among others, to print data from the [[call stack]] or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the <code>%n</code> format token, which commands <code>printf()</code> and similar functions to write the number of bytes formatted to an address stored on the stack.
==Details==
Line 26:
== Detection ==
Contrary to many other security issues, the root cause of format string vulnerabilities is relatively easy to detect in x86-compiled executables: For <code>printf</code>-family functions, proper use implies a separate argument for the format string and the arguments to be formatted. Faulty uses of such functions can be spotted by simply counting the number of arguments passed to the function; an
=== Detection in x86-compiled binaries ===
Line 44:
{{reflist|refs=
<ref name="CWE134">{{cite web |work=[[Common Weakness Enumeration]] |publisher=[[MITRE]] |title=CWE-134: Uncontrolled Format String |url=http://cwe.mitre.org/data/definitions/134.html |date=2010-12-13 |access-date=2011-03-05}}</ref>
<ref name="team_teso">{{Cite web |date=September 1, 2001 |title=Exploiting Format String Vulnerabilities |url=http://julianor.tripod.com/bc/formatstring-1.2.pdf
<ref name="Trends">{{cite web |url=http://cwe.mitre.org/documents/vuln-trends/index.html |title=Vulnerability Type Distributions in CVE |date=2007-05-22}}</ref>
<ref name="bugtrag_perl">[http://seclists.org/bugtraq/2005/Dec/0030.html Bugtraq: Format String Vulnerabilities in Perl Programs]</ref>
<ref name="Miller_1990">{{cite journal |url=https://ftp.cs.wisc.edu/paradyn/technical_papers/fuzz.pdf |title=An Empirical Study of the Reliability of UNIX Utilities |author-first1=Barton P. |author-last1=Miller |author-first2=Lars |author-last2=Fredriksen |author-first3=Bryan |author-last3=So |journal=[[Communications of the ACM]] |volume=33 |number=12 |date=December 1990 |orig-year=1989 |doi=10.1145/96267.96279 |pages=32–44 |s2cid=14313707 |access-date=2021-10-11 |archive-date=2018-02-07 |archive-url=https://web.archive.org/web/20180207130148/https://ftp.cs.wisc.edu/paradyn/technical_papers/fuzz.pdf |url-status=dead }}</ref>
<ref name="Tymm_proftpd">[http://seclists.org/bugtraq/1999/Sep/0328.html Bugtraq: Exploit for proftpd 1.2.0pre6]</ref>
<ref name="Frasunek_2000">[https://marc.info/?l=bugtraq&m=96179429114160&w=2 'WUFTPD 2.6.0 remote root exploit' - MARC], June 2000 by [[Przemysław Frasunek]]</ref>
Line 70:
* [http://www.cert.org/secure-coding CERT Secure Coding Initiative]
* [https://web.archive.org/web/20040403234032/http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string Known vulnerabilities] at MITRE's CVE project.
* [https://cansecwest.com/csw08/csw08-holtmann.pdf Secure Programming with GCC and GLibc] {{Webarchive|url=https://web.archive.org/web/20081121103054/https://cansecwest.com/csw08/csw08-holtmann.pdf |date=2008-11-21 }} (2008), by Marcel Holtmann
{{DEFAULTSORT:Format String Attack}}
| |||