Uncontrolled Format String| ID: 134 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The software uses externally-controlled format strings in
printf-style functions, which can lead to buffer overflows or data
representation problems.
Likelihood of Exploit: Very High
Applicable PlatformsLanguage: OftenLanguage: CLanguage: OftenLanguage: C++Language: RarelyLanguage: PerlLanguage Class: Languages that support format strings
Time Of Introduction
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Confidentiality | Read memory | Format string problems allow for information disclosure which can
severely simplify exploitation of the program. |
| IntegrityConfidentialityAvailability | Execute unauthorized code or
commands | Format string problems can result in the execution of arbitrary
code. |
Detection Methods
| Name | Description | Effectiveness | Notes |
|---|
| Automated Static Analysis | This weakness can often be detected using automated static analysis
tools. Many modern tools use data flow analysis or constraint-based
techniques to minimize the number of false positives. | | |
| Black Box | Since format strings often occur in rarely-occurring erroneous
conditions (e.g. for error message logging), they can be difficult to
detect using black box methods. It is highly likely that many latent
issues exist in executables that do not have associated source code (or
equivalent source. | Limited | |
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Requirements | | Choose a language that is not subject to this flaw. | | |
| Implementation | | Ensure that all format string functions are passed a static string
which cannot be controlled by the user and that the proper number of
arguments are always sent to that function as well. If at all possible,
use functions that do not support the %n operator in format strings.
[R.134.1] [R.134.2] | | |
| Build and Compilation | | Heed the warnings of compilers and linkers, since they may alert you
to improper usage. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-134 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- Certain implementations make more advanced attacks even easier by
providing format directives that control the location in memory to read from
or write to. An example of these directives is shown in the following code,
written for glibc:
- The following code copies a command line argument into a buffer
using snprintf().
- The following example is exploitable, due to the printf() call in
the printWrapper() function. Note: The stack buffer was added to make
exploitation more simple.
Observed Examples
- CVE-2002-1825 : format string in Perl program
- CVE-2001-0717 : format string in bad call to syslog function
- CVE-2002-0573 : format string in bad call to syslog function
- CVE-2002-1788 : format strings in NNTP server responses
- CVE-2006-2480 : Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename.
- CVE-2007-2027 : Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages
For more examples, refer to CVE relations in the bottom box.
White Box DefinitionsA weakness where the code path has:1. start statement that accepts input2. end statement that passes a format string to format string function
wherea. the input data is part of the format string andb. the format string is undesirableWhere "undesirable" is defined through the following scenarios:1. not validated2. incorrectly validated
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Format string vulnerability | |
| 7 Pernicious Kingdoms | | Format String | |
| CLASP | | Format string problem | |
| CERT C Secure Coding | FIO30-C | Exclude user input from format strings | Exact |
| OWASP Top Ten 2004 | A1 | Unvalidated Input | CWE_More_Specific |
| CERT C Secure Coding | FIO30-C | Exclude user input from format strings | |
| WASC | 6 | Format String | |
| CERT Java Secure Coding | IDS06-J | Exclude user input from format strings | |
| CERT C++ Secure Coding | FIO30-CPP | Exclude user input from format strings | |
References:
- Steve Christey .Format String Vulnerabilities in Perl
Programs.
- Hal Burch Robert C. Seacord .Programming Language Format String
Vulnerabilities.
- Tim Newsham .Format String Attacks. Guardent. Published on September 2000.
- M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 5, "Format String Bugs" Page 147'. Published on 2002.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 6: Format String Problems." Page 109'. Published on 2010.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 8, "C Format Strings", Page 422.'. Published on 2006.
