CAPEC

Common Attack Pattern Enumeration and Classification
Common Attack Pattern Enumeration and Classification

A Community Knowledge Resource for Building Secure Software

Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1)   View the CAPEC List

Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)

String Format Overflow in syslog()
Attack Pattern ID
Pattern Abstraction: Detailed

67

Typical Severity

Very High

Description

Summary

This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Attack Execution Flow

  1. 1- The attacker finds that he can inject data to the format string parameter of Syslog().

  2. 2- The attacker craft a malicious input and inject it into the format string parameter. From now on, the attacker can exeute arbitrary code and do more damage.

Attack Prerequisites

The format string argument of the Syslog function can be tainted with user supplid data.

Typical Likelihood of Exploit

High

Methods of Attack
  • Injection
Examples-Instances

Description

Format string vulnerability in TraceEvent function for ntop before 2.1 allows remote attackers to execute arbitrary code by causing format strings to be injected into calls to the syslog function, via (1) an HTTP GET request, (2) a user name in HTTP authentication, or (3) a password in HTTP authentication.

Related Vulnerability

CVE-2002-0412

Probing Techniques

If the source code of the application is available, an attacker can use static analysis tools to spot a syslog vulnerability (a simple grep may also work).

If the source code is not available, automated tools such as Fuzzer and advanced Web Scanner can be used. If the tool supplied data reaches the syslog's format string argument, the application under scrutiny may have unexpected behavior.

If the source code is not available, a more complexe technique involve the use of library and system call tracer combined with the use of binary auditing tool such as IDA Pro. Reverse Engineering technique can be used to find format string vulnerability in the syslog function call. For instance it is possible to get the address of the buffer that is later used as the format string when reading data

Solutions and Mitigations

The code should be reviewed for misuse of the Syslog function call. Manual or automated code review can be used. The reviewer needs to ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings. The following code shows a correct usage of Syslog(): ... syslog(LOG_ERR, "%s", cmdBuf); ... The following code shows a vulnerable usage of Syslog(): ... syslog(LOG_ERR, cmdBuf); // the buffer cmdBuff is taking user supplied data. ...

Attack Motivation-Consequences
  • Run Arbitrary Code
  • Denial of Service
  • Privilege Escalation
  • Data Modification
Context Description

Format String Vulnerabilities

When you get right down to it, format strings vulnerabilities are relatively simple in nature. An API call that takes a format string (i.e., %s) can be exploited when the format string argument is controlled by a remote attacker. Unfortunately, the problem exists mainly because of laziness on the part of the programmer. However, the problem is so simple that it can be detected automatically using simple code scanners. Thus, once the format string vulnerability was publicized in the late 1990s, it was rapidly hunted down and eliminated in most software.

Here is a trivial function that suffers from a format string problem:

void some_func(char *c)
{
   printf(c);
}

Injection Vector

Untrusted user supplied data is the injection vector.

Payload

The maliciously crafted data can read from the stack if passed to the Syslog function as a format String.

Activation Zone

The signature of the syslog function is as following : "void syslog(int priority, const char *format, ...);" A vulnerable usage would be : "syslog(LOG_ERR, cmdBuf);" where cmdBuf is a user controlled data which leads to a format string vulnerability. The activation zone is the format String argument which accepts user supplied data.

Payload Activation Impact

The impacts of this attack can be execution of arbitrary code. Execution of arbitary code can lead to many problems such as corruption of data, unauthorized access, etc.

Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
120Unbounded Transfer ('Classic Buffer Overflow')Secondary
134Uncontrolled Format StringTargeted
74Failure to Sanitize Data into a Different Plane (aka 'Injection')Secondary
20Insufficient Input ValidationSecondary
Related Vulnerabilities
Vulnerability-IDVulnerability Description
CVE-2002-0573format string in bad call to syslog function
CVE-2001-0717format string in bad call to syslog function
CVE-2002-0412format string in bad call to syslog function
Related Attack Patterns
IDNameRelationship TypeRelationship Description
Buffer Overflow via Format StringsMore Detailed
Relevant Security Requirements

Choose a language which is not subject to this flaw.

Do not use the Syslog() in your implementation.

Use manual or automated code review to spot potential format string vulnerability in functions such as Syslog(), Vsyslog(), snprintf(), etc.

Related Security Principles
  • Reluctance to Trust
Related Guidelines
  • Verify that input is of a limited size.
  • If the message is coming from an outside source, check for %s type parameters and ensure that bounds will not be overwritten.
  • Don't use text from an outside source as a format string.
Purpose

Penetration

Exploitation

CIA Impact
Confidentiality ImpactIntegrity ImpactAvailability Impact
HighHighHigh
Technical Context
Architectural ParadigmFrameworkPlatformLanguage
AllAllAllAll
References

G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.

CWE – Buffer Errors

Exploiting Format String Vulnerabilities, scut / team teso, http://doc.bughunter.net/format-string/exploit-fs.html

Halvar Flake, “Auditing binaries for security vulnerabilities”, http://www.blackhat.com/presentations/bh-europe- 00/HalvarFlake/HalvarFlake.ppt

Fortify Taxonomy of Vulnerabilities : http://vulncat.fortifysoftware.com/1/FS.html - Fortify Software (www.fortifysoftware.com)

Syslog man page : http://www.rt.com/man/syslog.3.html

Source
Submission(s)
SubmitterOrganizationDateComment
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.Cigital, Inc2007-03-01
Modification(s)
ModifierOrganizationDateComment
Eric DalciCigital, Inc2007-02-13Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean BarnumCigital, Inc2007-03-05Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Related Attack Patterns
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
Back to top
 

CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Vision and Technical Leadership provided by Cigital, Inc.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation.

Contact capec@mitre.org for more information.
Page Last Updated: April 18, 2008
Privacy policy
Terms of use
Contact us