Format string attacks can cause information leakage, overwriting memory etc. This error can be exploited in any of the following functions: printf, fprintf, sprintf, snprintf, i.e. all the functions that take a "format string" as argument.

1. Never let the user input format string/s

What you should not do

#FormatString.c
#include <include.h>

int main(int argc, char **argv){
    char *secret = "This is a secret!\n";
    printf (argv[1]);
    return 0;
}

If this code is run with %s as an input argument, "This is a secret!" string will be printed. For example run this code in the following manner, ./FormatString %s. The above has been taken from CERN Computer Security website, https://security.web.cern.ch/security/recommendations/en/codetools/c.shtml .

What you should do

Hardcode the format string. Never let the format string from the user's input.

Concept Map

This example maps to N and Bad Code in the Concept Map.

2. Buffer Overflow

What you should not do

In the code below, the sprintf( ) function writes to a fixed length buffer. It replaces the %s conversion specifier in the format string with a user-supplied string which may be a malicious one.

char buffer[512];

sprintf(buffer, "Wrong command: %s\n", user);

In the code below, the call to sprintf() function cannot be directly exploited because the %.400s conversion specifier limits the number of bytes written to 400. This call can be used to directly attack the sprintf() call (second sprintf() call).  The attack can be executed by following the following value for user.

%497d\x3c\xd3\xff\xbf<nops><shellcode>

When this string is inserted into buffer in the sprintf() function in the first call, this buffer array is passed to the second call to sprintf().The %497d  format specification instructs sprintf() to read an imaginary argument from the stack and write 497 characters to buffer. Including ordinary characters in the format string, the total number of characters written now exceeds the length of outbuf by 4 bytes. The user input can be manipuated to overwrite the return address with the address of the exploit code supplied in the malicious format string argument (0xbfffd33c). When the current function exits, control is transferred to the exploit code in the same manner as a stack-smashing attack.

char outbuf[512];

char buffer[512];

sprintf(buffer,"ERR Wrong command: %.400s",user);

sprintf(outbuf,buffer);

What you should do

The above vulnerability can be avoid by using strcpy() or strncpy() instead of sprintf().

 However, vulnerability involved in using strcpy() has been discussed under the buffer overflow attacks. The link is http://spc.cs.ucdavis.edu/index.php/situations/buffer-overflow#strcpy.

Concept Map

This example maps to N and Bad Code in the Concept Map.

The above example has been taken from the second edition of the book Secure Coding in C and C++ by Robert C Seacord, page 320.

 

JSN Teki template designed by JoomlaShine.com