[Forgot Password]
Login  Register Subscribe

23631

 
 

117687

 
 

98250

 
 

909

 
 

79198

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Uncontrolled Format String

ID: 134Date: (C)2012-05-14   (M)2017-11-29
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

The software uses externally-controlled format strings in printf-style functions, which can lead to buffer overflows or data representation problems.

Likelihood of Exploit: Very High

Applicable Platforms
Language: Often
Language: C
Language: Often
Language: C++
Language: Rarely
Language: Perl
Language Class: Languages that support format strings

Time Of Introduction

  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
 
Read memory
 
Format string problems allow for information disclosure which can severely simplify exploitation of the program.
 
Integrity
Confidentiality
Availability
 
Execute unauthorized code or commands
 
Format string problems can result in the execution of arbitrary code.
 

Detection Methods

NameDescriptionEffectivenessNotes
Automated Static Analysis
 
This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.
 
  
Black Box
 
Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.
 
Limited
 
 

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Requirements
 
 Choose a language that is not subject to this flaw.
 
  
Implementation
 
 Ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [R.134.1] [R.134.2]
 
  
Build and Compilation
 
 Heed the warnings of compilers and linkers, since they may alert you to improper usage.
 
  

Relationships

Related CWETypeViewChain
CWE-134 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc:
  2. The following code copies a command line argument into a buffer using snprintf().
  3. The following example is exploitable, due to the printf() call in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple.

Observed Examples

  1. CVE-2002-1825 : format string in Perl program
  2. CVE-2001-0717 : format string in bad call to syslog function
  3. CVE-2002-0573 : format string in bad call to syslog function
  4. CVE-2002-1788 : format strings in NNTP server responses
  5. CVE-2006-2480 : Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename.
  6. CVE-2007-2027 : Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
A weakness where the code path has:
1. start statement that accepts input
2. end statement that passes a format string to format string function where
a. the input data is part of the format string and
b. the format string is undesirable
Where "undesirable" is defined through the following scenarios:
1. not validated
2. incorrectly validated

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Format string vulnerability
 
 
7 Pernicious Kingdoms  Format String
 
 
CLASP  Format string problem
 
 
CERT C Secure Coding FIO30-C
 
Exclude user input from format strings
 
Exact
 
OWASP Top Ten 2004 A1
 
Unvalidated Input
 
CWE_More_Specific
 
CERT C Secure Coding FIO30-C
 
Exclude user input from format strings
 
 
WASC 6
 
Format String
 
 
CERT Java Secure Coding IDS06-J
 
Exclude user input from format strings
 
 
CERT C++ Secure Coding FIO30-CPP
 
Exclude user input from format strings
 
 

References:

  1. Steve Christey .Format String Vulnerabilities in Perl Programs.
  2. Hal Burch Robert C. Seacord .Programming Language Format String Vulnerabilities.
  3. Tim Newsham .Format String Attacks. Guardent. Published on September 2000.
  4. M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 5, "Format String Bugs" Page 147'. Published on 2002.
  5. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 6: Format String Problems." Page 109'. Published on 2010.
  6. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 8, "C Format Strings", Page 422.'. Published on 2006.
CVE    140
CVE-2007-3880
CVE-2007-5545
CVE-2007-5561
CVE-2007-6273
...

© 2013 SecPod Technologies