311:-family functions, proper use implies a separate argument for the format string and the arguments to be formatted. Faulty uses of such functions can be spotted by simply counting the number of arguments passed to the function; an "argument deficiency" is then a strong indicator that the function was misused.
218:
mailing list regarding this class of vulnerabilities, including a basic exploit. It was still several months, however, before the security community became aware of the full dangers of format string vulnerabilities as exploits for other software using this method began to surface. The first exploits
135:
as a format string, and parses any formatting instructions it may contain. The second version simply prints a string to the screen, as the programmer intended. Both versions behave identically in the absence of format specifiers in the string, which makes it easy for the mistake to go unnoticed by
319:
Counting the number of arguments is often made easy on x86 due to a calling convention where the caller removes the arguments that were pushed onto the stack by adding to the stack pointer after the call, so a simple examination of the stack correction yields the number of arguments passed to the
290:
Most of these are only useful for detecting bad format strings that are known at compile-time. If the format string may come from the user or from a source external to the application, the application must validate the format string before using it. Care must also be taken if the application
213:
that directly passed user-generated data without a format string. Extensive tests with contrived arguments to printf-style functions showed that use of this for privilege escalation was possible. This led to the first posting in
September 1999 on the
168:
Format string bugs can occur in other programming languages besides C, such as Perl, although they appear with less frequency and usually cannot be exploited to execute code of the attacker's choice.
123:
Format string bugs most commonly appear when a programmer wishes to output a string containing user supplied data (either to a file, to a buffer, or to the user). The programmer may mistakenly write
106:
token is used to pop bytes from the stack until the beginning of the format string itself is reached. The start of the format string is crafted to contain the address that the
98:(IP) of a process, for example by forcing a program to overwrite the address of a library function or the return address on the stack with a pointer to some malicious
120:
project lists roughly 500 vulnerable programs as of June 2007, and a trend analysis ranks it the 9th most-reported vulnerability type between 2001 and 2006.
307:
Contrary to many other security issues, the root cause of format string vulnerabilities is relatively easy to detect in x86-compiled executables: For
753:
117:
113:
This is a common vulnerability because format bugs were previously thought harmless and resulted in vulnerabilities in many common tools.
782:
474:
219:
that brought the issue to common awareness (by providing remote root access via code execution) were published simultaneously on the
704:
677:
586:
762:
165:
as they wish, trusting the early arguments to indicate how many additional arguments are to be popped, and of what types.
243:
was published in
September 2000 and other detailed technical explanation papers were published in September 2001 such as
727:
248:
394:
333:
720:
613:
630:
482:
363:
57:
259:
Many compilers can statically check format strings and produce warnings for dangerous or suspect formats. In
260:
548:
224:
78:
or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the
37:
650:
339:
102:. The padding parameters to format specifiers are used to control the number of bytes output and the
49:
662:
196:
95:
53:
499:
659:
Buffer
Overflows und Format-String-Schwachstellen - Funktionsweisen, Exploits und GegenmaĂźnahmen
86:
and similar functions to write the number of bytes formatted to an address stored on the stack.
700:
688:
673:
644:
114:
45:
559:
544:
507:
491:
41:
17:
766:
185:
180:
work done at the
University of Wisconsin, which discovered an "interaction effect" in the
448:
696:
239:
list by Pascal
Bouchareine in July 2000. The seminal paper "Format String Attacks" by
200:
34:
231:. They were shortly followed by an explanation, posted by a person using the nickname
776:
730:
427:
368:
192:
503:
295:
parameter can be used to detect certain types of attacks occurring at run-time. The
667:
177:
110:
format token can then overwrite with the address of the malicious code to execute.
759:
291:
generates or selects format strings on the fly. If the GNU C library is used, the
598:
533:
461:
389:
601:
240:
140:
94:
A typical exploit uses a combination of these techniques to take control of the
738:
162:
150:
75:
583:
571:
99:
632:
FormatGuard: Automatic
Protection From printf Format String Vulnerabilities
209:
158:
495:
48:
a program or to execute harmful code. The problem stems from the use of
236:
220:
215:
204:
181:
358:
345:
145:
62:
44:. Originally thought harmless, format string exploits can be used to
748:
743:
139:
Format bugs arise because C's argument passing conventions are not
399:
352:
473:
Miller, Barton P.; Fredriksen, Lars; So, Bryan (December 1990) .
188:
mechanism and an error routine that assumed safe string input.
560:'WuFTPD: Providing *remote* root since at least 1994' - MARC
371:
is a similar attack that succeeds when input is not filtered
614:
Warning
Options - Using the GNU Compiler Collection (GCC)
475:"An Empirical Study of the Reliability of UNIX Utilities"
462:
638:. Proceedings of the 10th USENIX Security Symposium.
74:
format tokens, among others, to print data from the
572:
Bugtraq: format bugs, in addition to the wuftpd bug
739:WASC Threat Classification - Format String Attacks
529:
527:
8:
336:exploits a similar kind of programming error
176:Format bugs were first noted in 1989 by the
422:
420:
418:
416:
60:functions that perform formatting, such as
40:discovered around 1989 that can be used in
428:"Exploiting Format String Vulnerabilities"
646:Software Security for Open-Source Systems
545:'WUFTPD 2.6.0 remote root exploit' - MARC
449:"Vulnerability Type Distributions in CVE"
732:Exploiting Format String Vulnerabilities
643:Cowan, Crispin (January–February 2003),
245:Exploiting Format String Vulnerabilities
153:to accept any number of arguments (e.g.
381:
721:Introduction to format string exploits
534:Bugtraq: Exploit for proftpd 1.2.0pre6
760:Secure Programming with GCC and GLibc
390:"CWE-134: Uncontrolled Format String"
7:
195:was discovered in September 1999 by
191:The use of format string bugs as an
263:, the relevant compiler flags are,
315:Detection in x86-compiled binaries
235:. "Format bugs" was posted to the
25:
227:and a person using the nickname
649:, IEEE Security & Privacy,
589:July 2000 by Pascal Bouchareine
207:daemon. The audit uncovered an
131:. The first version interprets
66:. A malicious user may use the
629:Cowan, Crispin (August 2001).
599:Bugtraq: Format String Attacks
27:Type of software vulnerability
1:
749:CERT Secure Coding Initiative
574:June 2000, by Lamagra Argamal
82:format token, which commands
744:CERT Secure Coding Standards
395:Common Weakness Enumeration
334:Cross-application scripting
261:the GNU Compiler Collection
18:Format string vulnerability
799:
783:Computer security exploits
769:(2008), by Marcel Holtmann
693:Secure Coding in C and C++
661:(in German) (1 ed.).
31:Uncontrolled format string
723:2013-05-02, by Alex Reece
483:Communications of the ACM
364:Improper input validation
299:check is more stringent.
756:at MITRE's CVE project.
255:Prevention in compilers
157:) by "popping" as many
657:Klein, Tobias (2004).
273:-Wno-format-extra-args
754:Known vulnerabilities
651:IEEE Computer Society
223:list in June 2000 by
143:. In particular, the
56:parameter in certain
584:Bugtraq: Format Bugs
340:Cross-site scripting
129:printf("%s", buffer)
50:unchecked user input
549:Przemysław Frasunek
496:10.1145/96267.96279
435:julianor.tripod.com
324:-family function.'
297:-Wformat-nonliteral
293:-D_FORTIFY_SOURCE=2
281:-Wformat-nonliteral
225:Przemysław Frasunek
96:instruction pointer
765:2008-11-21 at the
691:(September 2005).
689:Seacord, Robert C.
184:(csh) between its
277:-Wformat-security
149:mechanism allows
42:security exploits
16:(Redirected from
790:
733:
710:
683:
671:
653:
639:
637:
616:
611:
605:
596:
590:
581:
575:
569:
563:
557:
551:
542:
536:
531:
522:
521:
519:
518:
512:
506:. Archived from
479:
470:
464:
459:
453:
452:
445:
439:
438:
432:
424:
411:
410:
408:
407:
386:
355:
348:
323:
310:
298:
294:
286:
282:
278:
274:
270:
266:
212:
156:
148:
134:
130:
126:
109:
105:
85:
81:
73:
69:
65:
21:
798:
797:
793:
792:
791:
789:
788:
787:
773:
772:
767:Wayback Machine
735:v1.2 2001-09-09
731:
717:
707:
687:
684:(vii+663 pages)
680:
665:
656:
642:
635:
628:
625:
623:Further reading
620:
619:
612:
608:
597:
593:
582:
578:
570:
566:
558:
554:
547:, June 2000 by
543:
539:
532:
525:
516:
514:
510:
477:
472:
471:
467:
460:
456:
447:
446:
442:
430:
426:
425:
414:
405:
403:
388:
387:
383:
378:
351:
344:
330:
321:
317:
308:
305:
296:
292:
284:
280:
276:
272:
268:
264:
257:
208:
186:command history
174:
154:
144:
136:the developer.
132:
128:
124:
107:
103:
92:
83:
79:
71:
67:
61:
28:
23:
22:
15:
12:
11:
5:
796:
794:
786:
785:
775:
774:
771:
770:
757:
751:
746:
741:
736:
724:
716:
715:External links
713:
712:
711:
705:
697:Addison Wesley
685:
678:
654:
640:
624:
621:
618:
617:
606:
604:September 2000
591:
576:
564:
552:
537:
523:
465:
454:
440:
412:
380:
379:
377:
374:
373:
372:
366:
361:
356:
349:
342:
337:
329:
326:
316:
313:
304:
301:
256:
253:
201:security audit
173:
170:
125:printf(buffer)
91:
88:
35:code injection
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
795:
784:
781:
780:
778:
768:
764:
761:
758:
755:
752:
750:
747:
745:
742:
740:
737:
734:
729:
725:
722:
719:
718:
714:
708:
706:0-321-33572-4
702:
698:
694:
690:
686:
681:
679:3-89864-192-9
675:
669:
664:
663:dpunkt.verlag
660:
655:
652:
648:
647:
641:
634:
633:
627:
626:
622:
615:
610:
607:
603:
600:
595:
592:
588:
585:
580:
577:
573:
568:
565:
561:
556:
553:
550:
546:
541:
538:
535:
530:
528:
524:
513:on 2018-02-07
509:
505:
501:
497:
493:
490:(12): 32–44.
489:
485:
484:
476:
469:
466:
463:
458:
455:
451:. 2007-05-22.
450:
444:
441:
437:. 2001-09-01.
436:
429:
423:
421:
419:
417:
413:
401:
397:
396:
391:
385:
382:
375:
370:
369:SQL injection
367:
365:
362:
360:
357:
354:
350:
347:
343:
341:
338:
335:
332:
331:
327:
325:
314:
312:
302:
300:
288:
262:
254:
252:
250:
246:
242:
238:
234:
230:
226:
222:
217:
211:
206:
202:
198:
197:Tymm Twillman
194:
193:attack vector
189:
187:
183:
179:
171:
169:
166:
164:
160:
152:
147:
142:
137:
121:
119:
116:
111:
101:
97:
89:
87:
77:
64:
59:
55:
54:format string
51:
47:
43:
39:
38:vulnerability
36:
33:is a type of
32:
19:
726:scut / team-
692:
658:
645:
631:
609:
594:
579:
567:
555:
540:
515:. Retrieved
508:the original
487:
481:
468:
457:
443:
434:
404:. Retrieved
402:. 2010-12-13
393:
384:
318:
306:
289:
258:
244:
232:
228:
190:
178:fuzz testing
175:
167:
138:
122:
112:
93:
30:
29:
666: [
602:Tim Newsham
587:Format bugs
241:Tim Newsham
127:instead of
517:2021-10-11
406:2011-03-05
376:References
285:-Wformat=2
247:, by team
163:call stack
76:call stack
303:Detection
199:during a
159:arguments
151:functions
141:type-safe
100:shellcode
777:Category
763:Archived
504:14313707
328:See also
269:-Wformat
210:snprintf
161:off the
84:printf()
63:printf()
237:Bugtraq
233:lamagra
221:Bugtraq
216:Bugtraq
205:ProFTPD
203:of the
182:C shell
172:History
146:varargs
115:MITRE's
90:Details
52:as the
703:
676:
562:by tf8
502:
359:syslog
346:printf
322:printf
309:printf
283:, and
155:printf
133:buffer
670:]
636:(PDF)
511:(PDF)
500:S2CID
478:(PDF)
431:(PDF)
400:MITRE
353:scanf
265:-Wall
46:crash
728:TESO
701:ISBN
674:ISBN
249:Teso
70:and
492:doi
229:tf8
118:CVE
779::
699:.
695:.
672:.
668:de
526:^
498:.
488:33
486:.
480:.
433:.
415:^
398:.
392:.
287:.
279:,
275:,
271:,
251:.
108:%n
104:%x
80:%n
72:%x
68:%s
709:.
682:.
520:.
494::
409:.
267:,
58:C
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.