Difference between revisions of "Format String"

From OWASP
Jump to: navigation, search
(Contents provided by Fortify.)
(Related Controls)
 
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
 
{{Template:Fortify}}
 
{{Template:Fortify}}
 +
{{Template:SecureSoftware}}
  
==Abstract==
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
Allowing an attacker to control a function's format string may result in a buffer overflow.
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
 
==Description==
 
==Description==
 +
 +
Allowing an attacker to control a function's format string may result in a buffer overflow.
  
 
Format string vulnerabilities occur when:
 
Format string vulnerabilities occur when:
Line 13: Line 16:
 
# The data is passed as the format string argument to a function like sprintf(), FormatMessageW(), or syslog().  
 
# The data is passed as the format string argument to a function like sprintf(), FormatMessageW(), or syslog().  
  
==Examples ==
+
Format string problems occur when a user has the ability to control or write completely the format string used to format data in the printf style family of C/C++ functions.
 +
 
 +
'''Consequences'''
 +
 
 +
* Confidentially: Format string problems allow for information disclosure which can severely simplify exploitation of the program.
 +
* Access Control: Format string problems can result in the execution of arbitrary code.
 +
 
 +
'''Exposure period'''
 +
 
 +
* Requirements specification: A language might be chosen that is not subject to this issue.
 +
* Implementation: Format string problems are largely introduced at implementation time.
 +
* Build: Several format string problems are discovered by compilers
 +
 
 +
'''Platform'''
 +
 
 +
* Language: C, C++, Assembly
 +
* Platform: Any
 +
 
 +
'''Required resources'''
 +
 
 +
Any
 +
 
 +
'''Severity'''
 +
 
 +
High
 +
 
 +
'''Likelihood  of exploit'''
 +
 
 +
Very High
 +
 
 +
Format string problems are a classic C/C++ issue that are now rare due to the ease of discovery. The reason format string vulnerabilities can be exploited is due to the %n operator. The %n operator will write the number of characters, which have been printed by the format string therefore far, to the memory pointed to by its argument.
 +
 
 +
Through skilled creation of a format string, a malicious user may use values on the stack to create a write-what-where condition. Once this is achieved, he can execute arbitrary code.
 +
 
 +
 
 +
==Risk Factors==
 +
 
 +
TBD
 +
 
 +
==Examples==
  
 
===Example 1===
 
===Example 1===
Line 66: Line 108:
 
</pre>
 
</pre>
  
==Related Threats==
+
===Example 4===
 +
 
 +
The following example is exploitable, due to the printf() call in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple.
 +
 
 +
<pre>
 +
#include <stdio.h>
 +
 
 +
void printWrapper(char *string) { 
 +
  printf(string);
 +
}
 +
 
 +
int main(int argc, char **argv) { 
 +
  char buf[5012];   
 +
  memcpy(buf, argv[1], 5012);   
 +
  printWrapper(argv[1]);   
 +
  return (0);
 +
}
 +
</pre>
 +
 
 +
 
 +
==Related [[Attacks]]==
 +
 
 +
* [[Format String Attack]]
 +
* [[:Category:Injection Attack]]
 +
 
 +
 
 +
==Related [[Vulnerabilities]]==
 +
 
 +
* [[Buffer Overflow]]
 +
* [[Injection problem]]
 +
* [[Write-what-where]]
 +
 
 +
 
 +
 
 +
==Related [[Controls]]==
  
==Related Attacks==
+
* [[:Category:Input Validation]]
 +
* Requirements specification: Choose a language which is not subject to this flaw.
 +
* Implementation: Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings.
 +
* Build: Heed the warnings of compilers and linkers, since they may alert you to improper usage.
  
[[Buffer Overflow Attack]]
+
==Related [[Technical Impacts]]==
[[:Category:Injection Attack]]
+
  
==Related Vulnerabilities==
+
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
  
[[Buffer overflow]]
 
  
==Related Countermeasures==
+
==References==
  
[[:Category:Input Validation]]
+
TBD
 +
__NOTOC__
  
==Categories==
 
  
 +
[[Category:OWASP ASDR Project]]
 
[[Category:Input Validation Vulnerability]]
 
[[Category:Input Validation Vulnerability]]
 
[[Category:Use of Dangerious API]]
 
[[Category:Use of Dangerious API]]
Line 88: Line 167:
 
[[Category:Code Snippet]]
 
[[Category:Code Snippet]]
 
[[Category:Implementation]]
 
[[Category:Implementation]]
 +
[[Category:Vulnerability]]
 +
[[Category:Range and Type Error Vulnerability]]
 +
[[Category:OWASP_CLASP_Project]]

Latest revision as of 08:34, 23 February 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


This article includes content generously donated to OWASP by Fortify.JPG.


Last revision (mm/dd/yy): 02/23/2009

Vulnerabilities Table of Contents

Description

Allowing an attacker to control a function's format string may result in a buffer overflow.

Format string vulnerabilities occur when:

  1. Data enters the application from an untrusted source.
  2. The data is passed as the format string argument to a function like sprintf(), FormatMessageW(), or syslog().

Format string problems occur when a user has the ability to control or write completely the format string used to format data in the printf style family of C/C++ functions.

Consequences

  • Confidentially: Format string problems allow for information disclosure which can severely simplify exploitation of the program.
  • Access Control: Format string problems can result in the execution of arbitrary code.

Exposure period

  • Requirements specification: A language might be chosen that is not subject to this issue.
  • Implementation: Format string problems are largely introduced at implementation time.
  • Build: Several format string problems are discovered by compilers

Platform

  • Language: C, C++, Assembly
  • Platform: Any

Required resources

Any

Severity

High

Likelihood of exploit

Very High

Format string problems are a classic C/C++ issue that are now rare due to the ease of discovery. The reason format string vulnerabilities can be exploited is due to the %n operator. The %n operator will write the number of characters, which have been printed by the format string therefore far, to the memory pointed to by its argument.

Through skilled creation of a format string, a malicious user may use values on the stack to create a write-what-where condition. Once this is achieved, he can execute arbitrary code.


Risk Factors

TBD

Examples

Example 1

The following code copies a command line argument into a buffer using snprintf().

	int main(int argc, char **argv){
		char buf[128];
		...
		snprintf(buf,128,argv[1]);
	}

This code allows an attacker to view the contents of the stack and write to the stack using a command line argument containing a sequence of formatting directives. The attacker can read from the stack by providing more formatting directives, such as %x, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.) By using the %n formatting directive, the attacker can write to the stack, causing snprintf() to write the number of bytes output thus far to the specified argument (rather than reading a value from the argument, which is the intended behavior). A sophisticated version of this attack will use four staggered writes to completely control the value of a pointer on the stack.

Example 2

Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc:

	printf("%d %d %1$d %1$d\n", 5, 9);

This code produces the following output:

	5 9 5 5

It is also possible to use half-writes (%hn) to accurately control arbitrary DWORDS in memory, which greatly reduces the complexity needed to execute an attack that would otherwise require four staggered writes, such as the one mentioned in Example 1.

Example 3

Simple format string vulnerabilities often result from seemingly innocuous shortcuts. The use of some such shortcuts is so ingrained that programmers might not even realize that the function they are using expects a format string argument.

For example, the syslog() function is sometimes used as follows:

	...
	syslog(LOG_ERR, cmdBuf);
	...

Because the second parameter to syslog() is a format string, any formatting directives included in cmdBuf are interpreted as described in Example 1.

The following code shows a correct usage of syslog():

	...
	syslog(LOG_ERR, "%s", cmdBuf);
	...

Example 4

The following example is exploitable, due to the printf() call in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple.

#include <stdio.h>

void printWrapper(char *string) {   
  printf(string);
}

int main(int argc, char **argv) {   
  char buf[5012];    
  memcpy(buf, argv[1], 5012);    
  printWrapper(argv[1]);    
  return (0);
}


Related Attacks


Related Vulnerabilities


Related Controls

  • Category:Input Validation
  • Requirements specification: Choose a language which is not subject to this flaw.
  • Implementation: Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings.
  • Build: Heed the warnings of compilers and linkers, since they may alert you to improper usage.

Related Technical Impacts


References

TBD