Format String Vulnerabilities

C++ and strings

The C++ programming language has a couple of different variable types designed to manage text data. These include C strings, which are defined as arrays of characters, and the C++ string data type.

These types of variables can be used for a variety of different purposes. The most visible is printing messages to the console, but strings can also be used to read from and write to files, can be copied from one memory buffer to another, etc.

An array of C++ functions exist for C++ string manipulation. These include functions like printf and scanf.

The definitions of these functions include a requirement for a format string. This format string can either be a self-contained string to be printed, copied and so on, or it can draw from other variables to build the final string. A failure to use this format string properly creates vulnerabilities in a C++ application.

What are format specifiers?

A C++ format string can be a simple collection of characters. However, this is not a requirement. C++ also permits the use of format specifiers to enable functions like printf to take additional arguments and use them to build the final string.

Some of the more commonly used format specifiers include %d and %i (printing integers), %f (printing floating point numbers) and %s (printing a C string).

However, a number of other format string specifiers exist as well. Some of the more useful ones include:

  • %h: Printing the contents of the indicated memory address in hexadecimal
  • %p: Printing memory as a pointer
  • %n: Writing the number of values printed so far to the indicated memory address

Used properly, format strings and format specifiers enable a developer to perform a number of useful operations in an efficient and compact manner. However, these same format specifiers (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: