Content deleted Content added
grammar, made it clear that argument was not necessary for %n |
mNo edit summary |
||
Line 1:
'''Format string attacks''' are a new class of [[Exploit_(computer_science)|vulnerabilities]] discovered in June of 2000 by [[Przemysław Frasunek]] and [[tf8]], previously thought to be harmless. The first exploit which used the new technique allowed an attacker to gain remote root privileges on [[wu-ftpd]] 2.6.0. Format string attacks can be used to [[Crash_(computing)|crash]] a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain [[C_programming_language|C]] functions that perform formatting, such as <code>[[Printf|printf()]]</code>. A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands <code>printf()</code> and similar functions to write back the number of bytes formatted to an argument of [[Datatype|type]] int *. By manipulating the stack by using spurious format tokens, this argument can be faked as part of the format string.
This is a common vulnerability due to the fact that format bugs were previously thought harmless and resulted in vulnerabilites in many common tools. [http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string MITRE's CVE project] list roughly 150 vulnerable programs.
| |||