SBN

Format String Vulnerabilities: Use and Definitions

Introduction

In the previous article, we understood how print functions like printf work. This article provides further definition of Format String vulnerabilities. We will begin by discussing how Format Strings can be used in an unusual way, which is a starting point to understanding Format String exploits. Next, we will understand what kind of mistakes cause format string vulnerabilities by exploring some examples and finally we will discuss various risks that Format String vulnerabilities bring with them. 

Unusual usage of printf function:

Let us begin by considering the following example to understand some unusual ways of using printf function in  C language.

Let us use the following C program, where we have one additional format specifier than the number of variables to be printed. Essentially, the program has 5 variables (a, b, c, d, e) to be printed but we are specifying 6 format specifiers.

test6.c

#include<stdio.h>

void main(){

int a = 100;

float b = 2.3;

int *c;

        c = &a; 

char d[] = “demo”;

char *e = d;

printf(“%d, %1.1f, %p, %p, %p, %p n”, a,b,c,d,e);

}

 

When printf function is executed in the preceding program, the following events occur:

  1. The data available in variable a (on the stack), will replace the format specifier %d and an integer value (100) will be printed.
  2. The data available in variable b (on the stack), will replace the format specifier %1.1f and a float value (2.3) will be printed.
  3. The data available in variable c (on the stack), will replace the format specifier %p and the address of variable a, which is a pointer to the data stored in variable a will be printed.
  4. The data available in variable d (on the stack), will replace the format specifier %p and the address of (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Srinivas. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/LFk0QQVueF4/