Wikipedia

Uncontrolled format string: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
m See also: rm duplicated link
There is no evindence on who and when discovered this. There are issues on this topic that where known in 1999.
Line 1:
'''Format string attacks''' are a new class of [[Exploit_(computer_science)|vulnerabilities]] discovered inarround [[June 2000]] by [[Przemys&#322;aw Frasunek]] and [[tf8]]1999, previously thought to be harmless. The first exploit which used the new technique allowed an attacker to gain remote root privileges on [[wu-ftpd]] 2.6.0. Format string attacks can be used to [[Crash_(computing)|crash]] a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain [[C_programming_language|C]] functions that perform formatting, such as <code>[[Printf|printf()]]</code>. A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands <code>printf()</code> and similar functions to write back the number of bytes formatted to anthe same argument ofto [[Datatype|type]]<code>printf()</code>, int&nbsp;*.assuming By manipulatingthat the stackcorresponding by[[Argument|argument]] using spurious format tokensexists, thisand argument can be faked as partis of the[[Datatype|type]] formatint string* or possibly other user input.
 
This is a common vulnerability due to the fact that format bugs were previously thought harmless and resulted in vulnerabilites in many common tools. [http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string MITRE's CVE project] listslist roughly 150 vulnerable programs.
 
Format string bugs most commonly appear when a programmer wishes to print a string containing user supplied data. The programmer may mistakenly write <code>printf(buffer)</code> instead of <code>printf("%s", buffer)</code>. The first version interprets <code>buffer</code> as a format string, and parses any formatting instructions it may contain. The second version simply prints a string to the screen, as the programmer intended.
 
Format bugs arise because C's argument passing conventions are [[Type safety|type-unsafe]]. In particular, the <code>varargs</code> mechanism allows [[Subprogram|functions]] to accept any number of arguments (e.g. <code>printf</code>) by "popping" as many [[ParameterArgument|arguments]] off the call [[Stack_(computing)|stack]] as they wish, trusting the early arguments to indicate how many additional arguments are to be popped, and of what types.
 
==See also==
*[[printffprintf]]
*[[scanfsprintf]]
*[[snprintf]]
*[[syslog]]
 
*[[scanf]]
==References==
*[[Tobias Klein]]: ''Buffer Overflows und Format-String-Schwachstellen'', Dpunkt Verlag, ISBN 3-89864-192-9.
 
==External links==
*[http://doc.bughunter.net/format-string/exploit-fs.html Excellent Paper on Exploiting Format String Bugs]
*[http://doc.bughunter.net/format-string/ More Security Papers about Format String vulnerabilities]
*[http://marc.theaimsgroup.com/?l=bugtraq&m=96179429114160&w=2 The first format string exploit]
*[http://teso.scene.at/articles/formatstring/ Exploiting Format String Vulnerabilities]
*[http://www.rosiello.org/archivio/fmtbugs.pdf Explaining format bugs and how they can be exploited] by [http://www.rosiello.org/ Johnny Mast]
*[http://docwww.bughuntersecurityfocus.netcom/format-stringarchive/exploit-fs.html1/70552 Excellent Paper on Exploiting Format String Bugs]
*[http://www.securityfocus.com/data/library/format-bug-analysis.pdf Analysis of Format Strings Bugs]
*[http://www.hert.org/papers/format.html Hacker Emergency Response Team - Exploiting Format Strings]
 
[[Category:Security exploits]]
[[Category:C programming language]]
 
[[de:Formatstring-Angriff]]
Retrieved from "https://en.wikipedia.org/wiki/Uncontrolled_format_string"