An attacker includes formatting characters in a string input field on the
target application. Most applications assume that users will provide static
text and may respond unpredictably to the presence of formatting character.
For example, in certain functions of the C programming languages such as
printf, the formatting character %s will print the contents of a memory
location expecting this location to identify a string and the formatting
character %n prints the number of DWORD written in the memory. An attacker
can use this to read or write to memory locations or files, or simply to
manipulate the value of the resulting text in unexpected ways. Reading or
writing memory may result in program crashes and writing memory could result
in the execution of arbitrary code if the attacker can write to the program
stack.
Attack Execution Flow
Explore
Survey application:
The attacker takes an inventory of the entry
points of the application.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Spider web sites for all available
links
env-Web
2
List parameters, external variables,
configuration files variables, etc. that are
possibly used by the application.
env-All
Outcomes
ID
Type
Outcome Description
1
Success
At least one data input to
application identified.
2
Inconclusive
No inputs to application
identified. Note that just because no inputs are
identified does not mean that the application will
not accept any.
Experiment
Determine user-controllable input
susceptible to format string
injection::
Determine the user-controllable input susceptible
to format string injection. For each
user-controllable input that the attacker suspects
is vulnerable to format string injection, attempt to
inject formatting characters such as %n, %s, etc..
The goal is to manipulate the string creation using
these formatting characters.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Inject probe payload which contains
formatting characters (%s, %d, %n, etc.) through
input parameters.
Attacker receives an abnormal message (let’s
say with a partial dump of the memory) from the
application which indicates that the format string
was successfully manipulated.
At least one user-controllable
input susceptible to injection
found.
2
Failure
No user-controllable input
susceptible to injection
found.
Security Controls
ID
Type
Security Control Description
1
Detective
Search for and report
format string injection indicators such as the use
of %s, %n, %d, etc. in submitted user
input
2
Preventative
Refrain from using
format strings when not necessary, for example
fprintf(str) can be replaced by fputs(str), etc.
Exploit
Try to exploit the Format String
Injection vulnerability:
After determining that a given input is vulnerable
to format string injection, hypothesize what the
underlying usage looks like and the associated
constraints.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Insert various formatting characters to read
or write the memory, e.g. overwrite return
address, etc.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Probing via format character injection was
successful in identifying vulnerable input.
Attacker achieves goal of
reading or writing the memory, manipulating the
formatting string
2
Inconclusive
Attacker unable to exploit the
format string injection vulnerability
Attack Prerequisites
The target application must accept a strings as user input, fail to
sanitize string formatting characters in the user input, and process this
string using functions that interpret string formatting characters.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
Untrusted search path vulnerability in the add_filename_to_string
function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local
users to cause Elinks to use an untrusted gettext message catalog (.po
file) in a "../po" directory, which can be leveraged to conduct format
string attacks.
Related Vulnerabilities
CVE-2007-2027
Attacker Skills or Knowledge Required
Skill or Knowledge Level: High
In order to discover format string vulnerabilities it takes only low
skill, however, converting this discovery into a working exploit
requires advanced knowledge on the part of the attacker.
Resources Required
No special resources are required beyond the ability to provide string input
to the target.
Solutions and Mitigations
Limit the usage of formatting string functions.
Strong input validation - All user-controllable input must be validated
and filtered for illegal formatting characters.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Integrity
Modify memory
Confidentiality
Read memory
Integrity
Modify files or
directories
Confidentiality
Read files or
directories
Integrity
Modify application
data
Confidentiality
Read application
data
Gain privileges / assume
identity
Execute unauthorized code or
commands
Bypass protection
mechanism
Injection Vector
User-controllable input used as formatting string.
Payload
Formatting characters associated with malicious string content intended to
reveal information or modify the memory.
User-controllable input shall not be used directly inside a formatting
string function e.g., fprintf(user_controllable). Special formatting
characters in user-controllable input must be escaped before use by the
application in a formatting string function.
Ensure that all format string functions are passed a static string which
cannot be controlled by the user and that the proper number of arguments are
always sent to that function as well. If at all possible, use functions that
do not support the %n operator in format strings.
Related Security Principles
Reluctance to Trust
Defense in Depth
Related Guidelines
Never Use Input as Part of a Directive to any Internal Component
Description
