Format String Vulnerability
Format String Vulnerability
Description
Format string vulnerability occurs when a program does not properly validate or sanitize user input that is used as a format specifier in a formatted output function. This can allow an attacker to manipulate the format string argument and potentially execute arbitrary code or disclose sensitive information.
The impact of format string vulnerabilities can be significant, leading to: 1. Information Disclosure: Exploiting a format string vulnerability enables an attacker to extract sensitive information from memory. This may include confidential data like passwords, encryption keys, or other critical information.
-
Remote Code Execution: Format string vulnerabilities can be exploited to execute arbitrary code on a system remotely. This allows attackers to gain control over the system, potentially leading to unauthorized access or the theft of sensitive data.
-
Denial of Service (DoS): A format string vulnerability can be manipulated by an attacker to crash the program or induce it into an infinite loop. This type of attack results in a denial of service (DoS), rendering the system or application inaccessible to legitimate users.
Examples
// gcc vulnerable.c
#include <stdio.h>
#include <unistd.h>
int main() {
int secret_num = 0x8badf00d;
char name[64] = {0};
read(0, name, 64);
printf("Hello ");
printf(name);
printf("! You'll never get my secret!\n");
return 0;
}
Recommendation
To mitigate vulnerabilities related to format string attacks, it is crucial to follow certain practices:
- Avoid using format string functions that accept user input directly, and instead use safer alternatives like string concatenation or formatted printing functions that do not rely on user-controlled format strings.
- Input validation and sanitization as a hardening measure to ensure that user-supplied data matches the expected format.
Code Examples:
#include <stdio.h>
int main() {
int secret_num = 0x8badf00d;
char name[64] = {0};
printf("Enter your name: ");
if (fgets(name, sizeof(name), stdin) != NULL) {
// Remove the newline character from the input
size_t len = strlen(name);
if (len > 0 && name[len - 1] == '\n') {93317
name[len - 1] = '\0';
}
printf("Hello %s! You'll never get my secret!\n", name);
} else {
// Handle error reading input
printf("Error reading input.\n");
return 1;
}
return 0;
}
Links
Standards
- OWASP_MASVS_L1:
- MSTG_PLATFORM_2
- OWASP_MASVS_L2:
- MSTG_PLATFORM_2
- OWASP_MASVS_v2_1:
- MASVS_CODE_4
- SOC2_CONTROLS:
- CC_2_1
- CC_3_4
- CC_4_1
- CC_7_1
- CC_7_2
- CC_7_4
- CC_7_5