Skip to content

Format String Vulnerability

Format String Vulnerability

Description

Format string vulnerability occurs when a program does not properly validate or sanitize user input that is used as a format specifier in a formatted output function. This can allow an attacker to manipulate the format string argument and potentially execute arbitrary code or disclose sensitive information.

The impact of format string vulnerabilities can be significant, leading to: 1. Information Disclosure: Exploiting a format string vulnerability enables an attacker to extract sensitive information from memory. This may include confidential data like passwords, encryption keys, or other critical information.

  1. Remote Code Execution: Format string vulnerabilities can be exploited to execute arbitrary code on a system remotely. This allows attackers to gain control over the system, potentially leading to unauthorized access or the theft of sensitive data.

  2. Denial of Service (DoS): A format string vulnerability can be manipulated by an attacker to crash the program or induce it into an infinite loop. This type of attack results in a denial of service (DoS), rendering the system or application inaccessible to legitimate users.

Examples

// gcc vulnerable.c

#include <stdio.h>
#include <unistd.h>

int main() {
    int secret_num = 0x8badf00d;

    char name[64] = {0};
    read(0, name, 64);
    printf("Hello ");
    printf(name);
    printf("! You'll never get my secret!\n");
    return 0;
}

Recommendation

To mitigate vulnerabilities related to format string attacks, it is crucial to follow certain practices. Input validation and sanitization should be implemented to ensure that user-supplied data is properly formatted and does not contain any malicious code. Additionally, developers should avoid using format string functions that accept user input directly, and instead use safer alternatives like string concatenation or formatted printing functions that do not rely on user-controlled format strings.

Code Examples:

#include <stdio.h>

int main() {
    int secret_num = 0x8badf00d;

    char name[64] = {0};

    printf("Enter your name: ");
    if (fgets(name, sizeof(name), stdin) != NULL) {
        // Remove the newline character from the input
        size_t len = strlen(name);
        if (len > 0 && name[len - 1] == '\n') {93317
            name[len - 1] = '\0';
        }

        printf("Hello %s! You'll never get my secret!\n", name);
    } else {
        // Handle error reading input
        printf("Error reading input.\n");
        return 1;
    }

    return 0;
}

Standards

  • OWASP_MASVS_L1:
    • MSTG_PLATFORM_1
  • OWASP_MASVS_L2:
    • MSTG_PLATFORM_1