Format string attack

Format string attack

Format string attacks are a class of software vulnerability discovered around 1999. Previously thought harmless, Format string attacks can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write the number of bytes formatted to an address stored on the stack.

A typical exploit uses a combination of these techniques to force a program to overwrite the address of a library function or the return address on the stack with a pointer to some malicious Shellcode. The padding parameters to format specifiers are used to control the number of bytes output and the %x token is used to pop bytes from the stack until the beginning of the format string itself is reached. The start of the format string is crafted to contain the address that the %n format token can then overwrite with the address of the malicious code to execute.

This is a common vulnerability because format bugs were previously thought harmless and resulted in vulnerabilities in many common tools. [http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string MITRE's CVE project] lists roughly 500 vulnerable programs as of June 2007, and a [http://cwe.mitre.org/documents/vuln-trends/index.html trend analysis] ranks it the 9th most-reported vulnerability type between 2001 and 2006.

Format string bugs most commonly appear when a programmer wishes to print a string containing user supplied data. The programmer may mistakenly write printf(buffer) instead of printf("%s", buffer). The first version interprets buffer as a format string, and parses any formatting instructions it may contain. The second version simply prints a string to the screen, as the programmer intended.

Format bugs arise because C's argument passing conventions are not type-safe. In particular, the varargs mechanism allows functions to accept any number of arguments (e.g. printf) by "popping" as many arguments off the call stack as they wish, trusting the early arguments to indicate how many additional arguments are to be popped, and of what types.

Format string bugs can occur in other programming languages besides C, although they appear with less frequency and usually cannot be exploited to execute code of the attacker's choice. [ [http://seclists.org/bugtraq/2005/Dec/0030.html Bugtraq: Format String Vulnerabilities in Perl Programs ] ]

Format bugs were first noted in 1990 in the fuzz testing work done at the University of Wisconsin (see Miller, Fredriksen, So 1990). They called these bugs "interaction effects" and noted their presence when testing the C shell (csh).

The use of format string bugs as an attack vector was discovered by Tymm Twillman during a security audit of the ProFTPd daemon. The audit uncovered an snprintf that directly passed user-generated data without a format string. Extensive tests with contrived arguments to printf-style functions showed that use of this for privilege escalation was actually possible. This led to the first posting in September 1999 on the Bugtraq mailing list regarding this class of vulnerabilities, including a basic exploit. [ [http://seclists.org/bugtraq/1999/Sep/0328.html Bugtraq: Exploit for proftpd 1.2.0pre6 ] ] It was still several months, however, before the security community became aware of the full dangers of format string vulnerabilities as exploits for other software using this method began to surface. The first exploits leading to successful privilege escalation attack were published simultaneously on the Bugtraq list in June 2000 by Przemysław Frasunek [ [http://marc.theaimsgroup.com/?l=bugtraq&m=96179429114160&w=2 'WUFTPD 2.6.0 remote root exploit' - MARC ] ] and the person using nickname "tf8" [ [http://marc.theaimsgroup.com/?l=bugtraq&m=96171893218000&w=2 'WuFTPD: Providing *remote* root since at least1994' - MARC ] ] . The seminar paper "Format String Attacks" [ [http://seclists.org/bugtraq/2000/Sep/0214.html Bugtraq: Format String Attacks ] ] by Tim Newsham was published in September 2000.

Preventing Dangerous Format Strings

Many compilers can statically check format strings and produce warnings for dangerous or suspect formats.

In the GNU Compiler Collection, the relevant compiler flags are, -Wall,-Wformat, -Wno-format-extra-args, -Wformat-security, -Wformat-nonliteral, and -Wformat=2 [ [http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Warning-Options.html#Warning-Options Warning Options - Using the GNU Compiler Collection (GCC) ] ]

ee also

*printf
*scanf
*syslog
*String exploits

References

* Robert C. Seacord: Secure Coding in C and C++. Addison Wesley, September, 2005. ISBN 0-321-33572-4
*Tobias Klein: "Buffer Overflows und Format-String-Schwachstellen", Dpunkt Verlag, ISBN 3-89864-192-9.
*Crispin Cowan: "Software Security for Open-Source Systems", Published by the IEEE Computer Society, IEEE SECURITY & PRIVACY, JANUARY/FEBRUARY 2003, http://computer.org/security
*Barton Miller, Lars Fredriksen, Bryan So: "An Empirical Study of the Reliability of UNIX Utilities", Communications of the ACM, vol. 33, no. 12 (December 1990). Also appears (in German translation) as "Fatale Fehlerträchtigkeit: Eine empirische Studie zur Zuverlässigkeit von UNIX-Utilities", iX, March 1991. http://www.cs.wisc.edu/~bart/fuzz/
*Crispin Cowan: "FormatGuard: Automatic Protection From printf Format String Vulnerabilities", Proceedings of the 10th USENIX Security Symposium, August 2001. http://www.usenix.com/events/sec01/full_papers/cowanbarringer/cowanbarringer.pdf

Footnotes

External links

* scut / team-teso [http://julianor.tripod.com/bc/formatstring-1.2.pdf Exploiting Format String Vulnerabilities] v1.2 September 9, 2001
* [https://www.securecoding.cert.org CERT Secure Coding Standards]
* [http://www.cert.org/secure-coding CERT Secure Coding Initiative]
* [http://www.cert.org/books/secure-coding Secure Coding in C and C++]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать реферат

Look at other dictionaries:

  • format string attack — ● ►en loc. f. ►COP Attaque rendue possible par l omission de la spécification exacte du format à utiliser pour afficher une chaîne, en C. Classiquement, le programmeur écrit printf(str); à la place de printf( %s , str);. Du coup, si printf est un …   Dictionnaire d'informatique francophone

  • printf format string — An example of the printf function. Printf format string (which stands for print formatted ) refers to a control parameter used by a class of functions typically associated with some types of programming languages. The format string specifies a… …   Wikipedia

  • String exploits — Several implementation / design flaws are associated with string programming, some of those are associated with security exploits. Concatenation problems It is possible to cause String1 + User Input String + String2 to behave in unepected ways by …   Wikipedia

  • Portable Document Format — PDF redirects here. For other uses, see PDF (disambiguation). Portable Document Format Adobe Reader icon Filename extension .pdf Internet media type application/pdf application/x pdf application/x bzpdf application/x gzpdf …   Wikipedia

  • Magic string — A magic string is an input that a programmer believes will never come externally and which activates otherwise hidden functionality. A user of this program would likely provide input that gives an expected response in most situations. However, if …   Wikipedia

  • Timing attack — In cryptography, a timing attack is a side channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. The attack exploits the fact that every operation in a computer …   Wikipedia

  • Star Wars Episode II: Attack of the Clones — This article is about the film. For the video game, see Star Wars Episode II: Attack of the Clones (video game). Star Wars Episode II: Attack of the Clones Theatrical poster …   Wikipedia

  • Air on the G String — The Air on the G String is an adaptation by August Wilhelmj of Johann Sebastian Bach s Air . The air is usually played slowly and freely, and features an intertwining harmony and melody. History The original piece is part of Bach s Orchestral… …   Wikipedia

  • Printf — The class of printf functions (which stands for print formatted ) is a class of functions, typically associated with curly bracket programming languages, that accept a string parameter (called the format string) which specifies a method for… …   Wikipedia

  • Scanf — is a function that reads data with specified format from a given string stream source, originated from C programming language, and is present in many other programming languages.The scanf function prototype is: :int scanf (char *format, ...);The… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”