Uncontrolled format string: Difference between revisions

Format string bugs can occur in other programming languages besides C, although they appear with less frequency and usually cannot be exploited to execute code of the attacker's choice.<ref>[http://seclists.org/bugtraq/2005/Dec/0030.html Bugtraq: Format String Vulnerabilities in Perl Programs]</ref>

 

 

The use of format string bugs as an [[Vector (malware)|attack vector]] was discovered by Tymm Twillman during a [[security audit]] of the [[ProFTPD]] daemon. The audit uncovered an <code>[[snprintf]]</code> that directly passed user-generated data without a format string. Extensive tests with contrived arguments to printf-style functions showed that use of this for privilege escalation was actually possible. This led to the first posting in September 1999 on the [[Bugtraq]] mailing list regarding this class of vulnerabilities, including a basic exploit.<ref>[http://seclists.org/bugtraq/1999/Sep/0328.html Bugtraq: Exploit for proftpd 1.2.0pre6]</ref> It was still several months, however, before the security community became aware of the full dangers of format string vulnerabilities as exploits for other software using this method began to surface. The first exploits leading to successful [[privilege escalation]] attack were published simultaneously on the [[Bugtraq]] list in June 2000 by [[Przemysław Frasunek]]<ref>[http://marc.theaimsgroup.com/?l=bugtraq&m=96179429114160&w=2 'WUFTPD 2.6.0 remote root exploit' - MARC]</ref> and the person using nickname ''tf8''.<ref>[http://marc.theaimsgroup.com/?l=bugtraq&m=96171893218000&w=2 'WuFTPD: Providing *remote* root since at least1994' - MARC]</ref> The seminal paper "Format String Attacks"<ref>[http://seclists.org/bugtraq/2000/Sep/0214.html Bugtraq: Format String Attacks]</ref> by [[Tim Newsham]] was published in September 2000.