Format string problem

Jump to: navigation, search

This page was marked to be reviewed for deletion.

#REDIRECT Format_String


Format string problems occur when a user has the ability to control or write completely the format string used to format data in the printf style family of C/C++ functions.


  • Confidentially: Format string problems allow for information disclosure which can severely simplify exploitation of the program.
  • Access Control: Format string problems can result in the execution of arbitrary code.

Exposure period

  • Requirements specification: A language might be chosen that is not subject to this issue.
  • Implementation: Format string problems are largely introduced at implementation time.
  • Build: Several format string problems are discovered by compilers


  • Language: C, C++, Assembly
  • Platform: Any

Required resources




Likelihood of exploit

Very High

Avoidance and mitigation

  • Requirements specification: Choose a language which is not subject to this flaw.
  • Implementation: Ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings.
  • Build: Heed the warnings of compilers and linkers, since they may alert you to improper usage.


Format string problems are a classic C/C++ issue that are now rare due to the ease of discovery. The reason format string vulnerabilities can be exploited is due to the %n operator. The %n operator will write the number of characters, which have been printed by the format string therefore far, to the memory pointed to by its argument.

Through skilled creation of a format string, a malicious user may use values on the stack to create a write-what-where condition. Once this is achieved, he can execute arbitrary code.


The following example is exploitable, due to the printf() call in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple.

#include <stdio.h>

void printWrapper(char *string) {   

int main(int argc, char **argv) {   
  char buf[5012];    
  memcpy(buf, argv[1], 5012);    
  return (0);

Related problems