Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-6

Format String Attack

Format String Attacks alter the flow of an application by using string formatting library features to access other memory space. Vulnerabilities occur when user-supplied data are used directly as formatting string input for certain C/C++ functions (e.g. fprintf, printf, sprintf, setproctitle, syslog, ...).

If an attacker passes a format string consisting of printf conversion characters (e.g. "%f", "%p", "%n", etc.) as a parameter value to the web application, they may:

• Execute arbitrary code on the server
• Read values off the stack
• Cause segmentation faults / software crashes

Format String attacks are related to other attacks in the Threat Classification: Buffer Overflows and Integer Overflows. All three are based in their ability to manipulate memory or its interpretation in a way that contributes to an attacker's goal.

Example

Let's assume that a web application has a parameter emailAddress, dictated by the user. The application prints the value of this variable by using the printf function:

 printf(emailAddress);

If the value sent to the emailAddress parameter contains conversion characters, printf will parse the conversion characters and use the additionally supplied corresponding arguments. If no such arguments actually exist, data from the stack will be used in accordance with the order expected by the printf function.

The possible uses of the Format String Attacks in such a case can be:

• Read data from the stack:

If the output stream of the printf function is presented back to the attacker, he may read values on the stack by sending the conversion character "%x" (one or more times).

• Read character strings from the process' memory:

If the output stream of the printf function is presented back to the attacker, he can read character strings at arbitrary memory locations by using the "%s" conversion character (and other conversion characters in order to reach specific locations).

• Write an integer to locations in the process' memory:

By using the "%n" conversion character, an attacker may write an integer value to any location in memory. (e.g. overwrite important program flags that control access privileges, or overwrite return addresses on the stack, etc.)

References

"Analysis of format string bugs", By Andreas Thuemmel

[1] http://www.cs.cornell.edu/Courses/cs513/2005fa/paper.format-bug-analysis.pdf

"Format String Attacks", by Tim Newsham

[2] http://www.thenewsh.com/~newsham/format-string-attacks.pdf

"Exploiting Format String Vulnerabilities", By scut

[3] http://julianor.tripod.com/bc/formatstring-1.2.pdf

"Exploit for proftpd 1.2.0pre6"

[4] http://archives.neohapsis.com/archives/bugtraq/1999-q3/1009.html

"Format string input validation error in wu-ftpd site_exec() function"

[5] http://www.kb.cert.org/vuls/id/29823

Format string attack, Wikipedia

[6] http://en.wikipedia.org/wiki/Format_string_vulnerabilities

CWE-134: Uncontrolled Format String

[7] http://cwe.mitre.org/data/definitions/134.html

CAPEC-67: String Format Overflow in sys log()

[8] http://capec.mitre.org/data/definitions/67.html

WHID: Format String Attack

[9] http://whid.webappsec.org/whid-list/Format+String+Attack