Hakin9 - Hard Core IT Security Magazine

Access:

» Exploiting format string vulnerabilities

Related categories: C/C++ | Security | Format string vulnerabilities

Piotr Sobolewski, Tomasz Nidecki
Viewed: 5727 | Article date: 2006-02-27 13:23:12

In the second half of 2000, a whole new class of exploits was discovered, shocking the IT security community. It turned out that a vast array of programs, including well-known applications such as wu-ftpd, Apache with PHP3 or screen, have serious vulnerabilities – and all because of format strings.

About the authors

Piotr Sobolewski holds degrees in software engineering from Szczecin University (Poland) and navigation from the Szczecin Maritime University. For over two years, he was Chief Editor of hakin9 magazine. He is currently working as a freelance security consultant.

Tomasz Nidecki graduated from the IT Institute at Warsaw University and studied for two years at the Department of Journalism at the same university. He has been associated with IT press for over 12 years and is currently Managing Editor of hakin9 magazine. He is also a programmer and administers several mail servers.

What you will learn...

how to use format strings to compromise a vulnerable application,
how to avoid format string vulnerabilities in your own programs.

What you should know...

the basics of C programming.

In the C programming language, format strings are strings containing special character sequences recognised by the printf() function and derivatives (such as sprintf() or fprintf()). Format strings specify the formatting used to display the function's arguments. If an application allows the user to pass a custom string and then uses it as a format string, it is frequently possible for an attacker to prepare a string to make the program execute arbitrary code.

How format strings work

To understand the idea behind format strings and see how they can be used to take control of an application, let's start by looking at Listing 1. It contains a tiny program which uses a format string to print a simple text message:

$ ./listing_1

Company name: Gardens-R-Us

Table 1. Basic format specifiers for format strings

Format specifier	Result	Passed by
%d	integer	value
%u	unsigned integer	value
%x	hexadecimal unsigned integer	value
%s	string	reference
%n	number of characters written so far	reference

Listing 1. Simple program containing a format string

 
 
int main() {
  char *a = "Gardens-R-Us";
  printf("Company name: %sn", a);
}

Listing 2. Program from Listing 1, but without the argument

 
 
int main() {
  printf("Company name: %sn");
}

What if the printf() function receives a format string, but no argument? Let's run the program shown in Listing 2:

$ ./listing_2

Company name: Da

To understand how our program came to print the Da string, we need to go into the details of how format strings work.

Figure 1. What happens on the stack when the program from Listing 1 is executed

Figure 1 shows what happens on the stack when the program from Listing 1 is executed (right after the call to printf()). Just before the function call, the function parameters are pushed onto the stack, these being a pointer to the a string and a pointer to the format string. The printf() function pops the format string pointer off the stack and fetches the actual string. Upon encountering the %s specifier, the function pops the next parameter - the pointer to a - and prints whatever the pointer is pointing at as a string (%s being the string format - see Table 1).

Figure 2. What happens on the stack when the program from Listing 2 is executed

Page: 1 2 3

Buy article		Buy subscription

Standard price: 2€/$3		Standard price: 25€/$30
Buy article for as little as (2€/$3) each allow access to individual articles.		Buy a full access to our Hakin9 archive portal. You will be able to read the articles from all archive issues from year 2005 and 2006. For just 25€/$30 you get unrestricted access to the entire website for the whole year.