Appsec Knowledge Base

FORMAT STRING FLAWS

What Is a Format String Attack?

A format string attack occurs when an application interprets data as a command and allows an attacker to access the underlying code base. The offending code alters the flow of an application using string formatting library features. This lets an attacker gain access to other memory space. A format string attack can result in a number of exploits, including the ability to inject malware, execute unauthorized commands, and cause segmentation faults that result in changes that diminish the stability of a system or exploit it directly. A format string attack takes place because the application doesn’t properly validate input from the attacker. It most commonly occurs in applications running C, C++ and Perl.

Relevant CWEs:

Severity: 5 Very High

Prevalence: Very Low, Format String vulnerabilities are found in less than 1% of applications

Anatomy of an Attack

A format string attack begins when an intruder takes aim at the Format Function, an ANSII conversion tool designed to convert a more primitive variable of a programming language into a useful human-readable format. Format Function is designed to handle routine tasks such as printf (which outputs a formatted string), fprint (which writes the printf to a file), and sprint (which prints into a string).

However, if these functions aren’t adequately protected, the application can be at risk for a format string attack. The attacker may explore and test the software by inserting specific formatting characters via a form at a website or another input tool. When an application receives certain conversion characters, such as "%f", "%p", or "%n", the attacker is allowed to execute arbitrary code on a server, read values from an attack, or cause segmentation faults or software crashes.

Impact of an Attack

Once an attacker finds a successful intrusion point, he or she can read data from the stack, read character strings from the process memory, or write an integer to locations in the process memory. This allows the attacker to override critical program flags and controls. A format string attack is similar to a buffer overflow or integer overflow. All are rooted in an attacker’s ability to manipulate memory functions. Someone who gains control of a system using a format string attack can read or alter data, change security controls, crash applications, or launch a denial of service (DoS) attack.

Ask A Qualified Appsec Expert

Struggling with fixing a code weakness? Knowledgeable consultants at Veracode can help you out.

Ask in the Community

Attack and Defense Examples

Example #1

This example from OWASP demonstrates how an application will react and behave when it doesn’t receive the necessary validation in the input of a format string. In this example, the application operates normally and has normal inputs. Here’s what the source code for this normal state looks like:

#include  
#include  
#include  

int main (int argc, char **argv)
{
	char buf [100];
	int x = 1 ; 
	snprintf ( buf, sizeof buf, argv [1] ) ;
	buf [ sizeof buf -1 ] = 0;
	printf ( “Buffer size is: (%d) \nData input: %s \n” , strlen (buf) , buf ) ;
	printf ( “X equals: %d/ in hex: %#x\nMemory address for x: (%p) \n” , x, x, &x) ;
	return 0 ;
}

Next, the program supplies outputs when running expected inputs. In this case, the program received the string “Bob” as input and returned it in the output.

./formattest “Bob %x %x”
Buffer size is (14)
Data input : Bob bffff 8740
X equals: 1/ in hex: 0x1
Memory address for x (0xbffff73c)

The inputs “Bob” along with the format strings parameters will be attributed to the variable “buf” inside the code which should take the place of the “%s” in the Data input. So now the “printf: argument looks like:

printf ( “Buffer size is: (%d) \n Data input: Bob %x %x \n” , strlen (buf) , buf ) ;

At this point, when the application prints the results, the format function will interpret the format string inputs, showing the content of a memory address. This allows the attacker to proceed with the exploit.

Example #2

This example shows how a string format attack can lead to denial of service. Normally, when an invalid memory address is requested, the program is terminated.

printf (userName);

However, if the attacker inserts a sequence of format strings, the program will reveal the memory address where other data are stored. This increases the possibility that the program will read an illegal address, crashing the program and causing its non-availability.

printf (%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s);

Preventing Damage

The discovery of a format string attack requires an organization to check for further signs of intrusion or code modification. It also requires a fix for the vulnerable code so that no further damage will take place. Unchecked, a format string attack can lead to a serious breach of data as well as denial of service and other problems.

Remediation Is Critical

It’s important to check all code for format string attack vulnerabilities. One effective method is static analysis. It’s also crucial to fix existing code vulnerabilities. A simple line of code is typically effective. This might take the form of: “write("%s",s);” or “output (s);”

CA Veracode Can Aid in the Defense of Encapsulation Vulnerabilities

CA Veracode Web Application Scanning can safely, accurately, and quickly discover web application flaws, including SQL injection, in running web applications, in either production or pre-production environments.

CA Veracode Static Analysis can accurately identify SQL injection vulnerabilities and other flaws in your application and its third-party components and tell your developers exactly where and how to repair them. All without ever looking at the source code.

Our cloud-based application security platform helps you manage your application security program, track progress, and educate your developers on avoiding and repairing SQL injection and other security flaws through integrated eLearning materials.

 

 

contact menu