Uncontrolled format string: Difference between revisions

Format string attacks are a new class of [[Exploit_(computer_science)|vulnerabilities]] discovered in June of 2000 by [[Przemys&#322;aw Frasunek]] and [[tf8]], previously thought to be harmless. The first exploit which used the new technique allowed an attacker to gain remote root privileges on [[wu-ftpd]] 2.6.0. Format string attacks can be used to [[Crash_(computing)|crash]] a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain [[C_programming_language|C]] functions that perform formatting, such as <code>[[Printf|printf()]]</code>. A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands <code>printf()</code> and similar functions to write back the number of bytes formatted to the samean argument toof <code>printf()</code>,[[Datatype|type]] assumingint that*. By manipulating the correspondingstack [[Argument|argument]]by existsusing spurious format tokens, andthis isargument ofcan [[Datatype|type]]be intfaked *as part of the format string.