Uncontrolled Format String - Details

Details

A typical exploit uses a combination of these techniques to force a program to overwrite the address of a library function or the return address on the stack with a pointer to some malicious shellcode. The padding parameters to format specifiers are used to control the number of bytes output and the %x token is used to pop bytes from the stack until the beginning of the format string itself is reached. The start of the format string is crafted to contain the address that the %n format token can then overwrite with the address of the malicious code to execute.

This is a common vulnerability because format bugs were previously thought harmless and resulted in vulnerabilities in many common tools. MITRE's CVE project lists roughly 500 vulnerable programs as of June 2007, and a trend analysis ranks it the 9th most-reported vulnerability type between 2001 and 2006.

Format string bugs most commonly appear when a programmer wishes to print a string containing user supplied data. The programmer may mistakenly write printf(buffer) instead of printf("%s", buffer). The first version interprets buffer as a format string, and parses any formatting instructions it may contain. The second version simply prints a string to the screen, as the programmer intended.

Format bugs arise because C's argument passing conventions are not type-safe. In particular, the varargs mechanism allows functions to accept any number of arguments (e.g. printf) by "popping" as many arguments off the call stack as they wish, trusting the early arguments to indicate how many additional arguments are to be popped, and of what types.

Format string bugs can occur in other programming languages besides C, although they appear with less frequency and usually cannot be exploited to execute code of the attacker's choice.

Format bugs were first noted in 1990 in the fuzz testing work done at the University of Wisconsin (see Miller, Fredriksen, So 1990). They called these bugs "interaction effects" and noted their presence when testing the C shell (csh).

The use of format string bugs as an attack vector was discovered by Tymm Twillman during a security audit of the ProFTPd daemon. The audit uncovered an snprintf that directly passed user-generated data without a format string. Extensive tests with contrived arguments to printf-style functions showed that use of this for privilege escalation was actually possible. This led to the first posting in September 1999 on the Bugtraq mailing list regarding this class of vulnerabilities, including a basic exploit. It was still several months, however, before the security community became aware of the full dangers of format string vulnerabilities as exploits for other software using this method began to surface. The first exploits leading to successful privilege escalation attack were published simultaneously on the Bugtraq list in June 2000 by Przemysław Frasunek and the person using nickname tf8. The seminal paper "Format String Attacks" by Tim Newsham was published in September 2000.

Read more about this topic:  Uncontrolled Format String

Famous quotes containing the word details:

    Working women today are trying to achieve in the work world what men have achieved all along—but men have always had the help of a woman at home who took care of all the other details of living! Today the working woman is also that woman at home, and without support services in the workplace and a respect for the work women do within and outside the home, the attempt to do both is taking its toll—on women, on men, and on our children.
    Jeanne Elium (20th century)

    Anyone can see that to write Uncle Tom’s Cabin on the knee in the kitchen, with constant calls to cooking and other details of housework to punctuate the paragraphs, was a more difficult achievement than to write it at leisure in a quiet room.
    Anna Garlin Spencer (1851–1931)