Uncontrolled format string: Difference between revisions

'''Uncontrolled format string'''<ref>{{cite web |work=[[Common Weakness Enumeration]] |publisher=[[MITRE]] |title=CWE-134: Uncontrolled Format String |url=http://cwe.mitre.org/data/definitions/134.html |date=December 13, 2010 |accessdate=March 5, 2011}}</ref> is a type of [[software vulnerability]], discovered around 1999,1989 that can be used in [[security exploit]]s. Previously thought harmless, '''format string exploits''' can be used to [[Crash (computing)|crash]] a program or to execute harmful code. The problem stems from the use of [[unchecked user input]] as the [[format string]] parameter in certain [[C (programming language)|C]] functions that perform formatting, such as <code>[[Printf|printf()]]</code>. A malicious user may use the <code>%s</code> and <code>%x</code> format tokens, among others, to print data from the [[call stack]] or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the <code>%n</code> format token, which commands <code>printf()</code> and similar functions to write the number of bytes formatted to an address stored on the stack.

This is a common vulnerability because format bugs were previously thought harmless and resulted in vulnerabilities in many common tools. [[Mitre Corporation|MITRE's]] CVE project lists roughly 500 vulnerable programs as of June 2007, and a trend analysis ranks it the 9th most-reported vulnerability type between 2001 and 2006.<ref>{{cite web|url=http://cwe.mitre.org/documents/vuln-trends/index.html |title=Vulnerability Type Distributions in CVE |date=May 22, 2007}}</ref>

Format bugs were first noted in 19901989 inby the [[fuzz testing]] work done at the University of Wisconsin (see Miller, Fredriksen,which Sodiscovered 1990). They called these bugsan "interaction effectseffect" and noted their presence when testingin the [[C shell]] (csh) between its [[command history]] mechanism and an error routine that assumed safe string input.<ref>{{cite journal |url=ftp://ftp.cs.wisc.edu/paradyn/technical_papers/fuzz.pdf |title=An Empirical Study of the Reliability of

The use of format string bugs as an [[Vector (malware)|attack vector]] was discovered by Tymm Twillman during a [[security audit]] of the [[ProFTPD]] daemon. The audit uncovered an <code>[[snprintf]]</code> that directly passed user-generated data without a format string. Extensive tests with contrived arguments to printf-style functions showed that use of this for privilege escalation was actually possible. This led to the first posting in September 1999 on the [[Bugtraq]] mailing list regarding this class of vulnerabilities, including a basic exploit.<ref>[http://seclists.org/bugtraq/1999/Sep/0328.html Bugtraq: Exploit for proftpd 1.2.0pre6]</ref> It was still several months, however, before the security community became aware of the full dangers of format string vulnerabilities as exploits for other software using this method began to surface. The first exploits leading to successful [[privilege escalation]] attack were published simultaneously on the [[Bugtraq]] list in June 2000 by [[Przemysław Frasunek]]<ref>[http://marc.theaimsgroup.com/?l=bugtraq&m=96179429114160&w=2 'WUFTPD 2.6.0 remote root exploit' - MARC]</ref> and the person using nickname ''tf8''.<ref>[http://marc.theaimsgroup.com/?l=bugtraq&m=96171893218000&w=2 'WuFTPD: Providing *remote* root since at least1994' - MARC]</ref> The seminal paper "Format String Attacks"<ref>[http://seclists.org/bugtraq/2000/Sep/0214.html Bugtraq: Format String Attacks]</ref> by [[Tim Newsham]] was published in September 2000.

*[[Crispin Cowan]], ''Software Security for Open-Source Systems''. IEEE Computer Society, [http://www.computer.org/web/computingnow/securityandprivacy IEEE Security & Privacy], January/February 2003, http://computer.org/security