SlideShare a Scribd company logo

Format string

Vu Review
Vu Review

This document discusses format string vulnerabilities in C programs. It explains that if a program passes user input directly to a printf statement, an attacker can craft the input as a format string to control how the printf function operates. This allows viewing memory, crashing programs, and writing arbitrary values to memory by abusing how printf interprets format specifiers like %s, %x and %n. Countermeasures include compiler checks on format string usage and address space randomization.

Engineering
1 of 5
Download to read offline
1
2
3
4
5
Lecture Notes (Syracuse University) Format String Vulnerability: 1 Format String Vulnerability printf ( user input ); The above statement is quite common in C programs. In the lecture, we will find out what can go wrong if the program is running with privileges (e.g. Set-UID program). 1 Format String • What is a format string? printf ("The magic number is: %dn", 1911); The text to be printed is “The magic number is:”, followed by a format parameter ‘%d’, which is replaced with the parameter (1911) in the output. Therefore the output looks like: The magic number is: 1911. In addition to %d, there are several other format parameters, each having different meaning. The following table summarizes these format parameters: Parameter Meaning Passed as ------------------------------------------------------------------- %d decimal (int) value %u unsigned decimal (unsigned int) value %x hexadecimal (unsigned int) value %s string ((const) (unsigned) char *) reference %n number of bytes written so far, (* int) reference • The stack and its role at format strings The behavior of the format function is controlled by the format string. The function retrieves the parameters requested by the format string from the stack. printf ("a has value %d, b has value %d, c is at address: %08xn", a, b, &c);
Lecture Notes (Syracuse University) Format String Vulnerability: 2 Addressof FormatString Valueofa Valueofb Adressofc printf()’s internal pointer Moving in this direction Stack Stack grows in this direction • What if there is a miss-match between the format string and the actual arguments? printf ("a has value %d, b has value %d, c is at address: %08xn", a, b); – In the above example, the format string asks for 3 arguments, but the program actually provides only two (i.e. a and b). – Can this program pass the compiler? ∗ The function printf() is defined as function with variable length of arguments. There- fore, by looking at the number of arguments, everything looks fine. ∗ To find the miss-match, compilers needs to understand how printf() works and what the meaning of the format string is. However, compilers usually do not do this kind of analysis. ∗ Sometimes, the format string is not a constant string, it is generated during the execution of the program. Therefore, there is no way for the compiler to find the miss-match in this case. – Can printf() detect the miss-match? ∗ The function printf() fetches the arguments from the stack. If the format string needs 3 arguments, it will fetch 3 data items from the stack. Unless the stack is marked with a boundary, printf() does not know that it runs out of the arguments that are provided to it. ∗ Since there is no such a marking. printf() will continue fetching data from the stack. In a miss-match case, it will fetch some data that do not belong to this function call. – What trouble can be caused by printf() when it starts to fetch data that is meant for it? 2 Attacks on Format String Vulnerability • Crashing the program printf ("%s%s%s%s%s%s%s%s%s%s%s%s");
Lecture Notes (Syracuse University) Format String Vulnerability: 3 – For each %s, printf() will fetch a number from the stack, treat this number as an address, and print out the memory contents pointed by this address as a string, until a NULL character (i.e., number 0, not character 0) is encountered. – Since the number fetched by printf() might not be an address, the memory pointed by this number might not exist (i.e. no physical memory has been assigned to such an address), and the program will crash. – It is also possible that the number happens to be a good address, but the address space is protected (e.g. it is reserved for kernel memory). In this case, the program will also crash. • Viewing the stack printf ("%08x %08x %08x %08x %08xn"); – This instructs the printf-function to retrieve five parameters from the stack and display them as 8-digit padded hexadecimal numbers. So a possible output may look like: 40012980 080628c4 bffff7a4 00000005 08059c04 • Viewing memory at any location – We have to supply an address of the memory. However, we cannot change the code; we can only supply the format string. – If we use printf(%s) without specifying a memory address, the target address will be ob- tained from the stack anyway by the printf() function. The function maintains an initial stack pointer, so it knows the location of the parameters in the stack. – Observation: the format string is usually located on the stack. If we can encode the target address in the format string, the target address will be in the stack. In the following example, the format string is stored in a buffer, which is located on the stack. int main(int argc, char *argv[]) { char user_input[100]; ... ... /* other variable definitions and statements */ scanf("%s", user_input); /* getting a string from user */ printf(user_input); /* Vulnerable place */ return 0; } – If we can force the printf to obtain the address from the format string (also on the stack), we can control the address. printf ("x10x01x48x08 %x %x %x %x %s"); – x10x01x48x08 are the four bytes of the target address. In C language, x10 in a string tells the compiler to put a hexadecimal value 0x10 in the current position. The value will take up just one byte. Without using x, if we directly put "10" in a string, the ASCII values of the characters ’1’ and ’0’ will be stored. Their ASCII values are 49 and 48, respectively.
Lecture Notes (Syracuse University) Format String Vulnerability: 4 – %x causes the stack pointer to move towards the format string. – Here is how the attack works if user input[] contains the following format string: "x10x01x48x08 %x %x %x %x %s". ... Addressofuser_input[] 0x10014808 user_input [ ] %s %x %x %x %x Print this for the 1st %x Print this for the 4th %x For %s: print out the contents pointed by this address Print out the contents at the address 0x10014808 using format-string vlunerability – Basically, we use four %x to move the printf()’s pointer towards the address that we stored in the format string. Once we reach the destination, we will give %s to print(), causing it to print out the contents in the memory address 0x10014808. The function printf() will treat the contents as a string, and print out the string until reaching the end of the string (i.e. 0). – The stack space between user input[] and the address passed to the printf() function is not for printf(). However, because of the format-string vulnerability in the program, printf() considers them as the arguments to match with the %x in the format string. – The key challenge in this attack is to figure out the distance between the user input[] and the address passed to the printf() function. This distance decides how many %x you need to insert into the format string, before giving %s. • Writing an integer to nearly any location in the process memory – %n: The number of characters written so far is stored into the integer indicated by the corre- sponding argument. int i; printf ("12345%n", &i); – It causes printf() to write 5 into variable i. – Using the same approach as that for viewing memory at any location, we can cause printf() to write an integer into any location. Just replace the %s in the above example with %n, and the contents at the address 0x10014808 will be overwritten.
Lecture Notes (Syracuse University) Format String Vulnerability: 5 – Using this attack, attackers can do the following: ∗ Overwrite important program flags that control access privileges ∗ Overwrite return addresses on the stack, function pointers, etc. – However, the value written is determined by the number of characters printed before the %n is reached. Is it really possible to write arbitrary integer values? ∗ Use dummy output characters. To write a value of 1000, a simple padding of 1000 dummy characters would do. ∗ To avoid long format strings, we can use a width specification of the format indicators. • Countermeasures. – Address randomization: just like the countermeasures used to protect against buffer-overflow attacks, address randomization makes it difficult for the attackers to find out what address they want to read/write.

More Related Content

What's hot (19)

PDF
Introduction to Excel, basic financial functions
Martin
 
PPTX
AS TASKS #8
NikkNakss
 
PPTX
Ch3 Formatted Input/Output
SzeChingChen
 
PDF
Casa lab manual
BHARATNIKKAM
 
PDF
CP Handout#8
trupti1976
 
PDF
C programming part4
Keroles karam khalil
 
PPT
Lab 4 reading material formatted io and arithmetic expressions
AksharVaish2
 
PDF
Introduction to Input/Output Functions in C
Thesis Scientist Private Limited
 
PDF
CP Handout#1
trupti1976
 
PPT
Ch05
Arriz San Juan
 
PDF
Session 5-exersice
Keroles karam khalil
 
PDF
CP Handout#6
trupti1976
 
PPT
Ch08
Arriz San Juan
 
PPTX
datatypes and variables in c language
Rai University
 
PPT
Ch06
Arriz San Juan
 
PPT
Computer notes - Expression Tree
ecomputernotes
 
PPTX
FLOW OF CONTROL-NESTED IFS IN PYTHON
vikram mahendra
 
PDF
Flag Waiving
Kevlin Henney
 
PDF
100 c interview questions answers
Sareen Kumar
 
Introduction to Excel, basic financial functions
Martin
 
AS TASKS #8
NikkNakss
 
Ch3 Formatted Input/Output
SzeChingChen
 
Casa lab manual
BHARATNIKKAM
 
CP Handout#8
trupti1976
 
C programming part4
Keroles karam khalil
 
Lab 4 reading material formatted io and arithmetic expressions
AksharVaish2
 
Introduction to Input/Output Functions in C
Thesis Scientist Private Limited
 
CP Handout#1
trupti1976
 
Ch05
Arriz San Juan
 
Session 5-exersice
Keroles karam khalil
 
CP Handout#6
trupti1976
 
Ch08
Arriz San Juan
 
datatypes and variables in c language
Rai University
 
Ch06
Arriz San Juan
 
Computer notes - Expression Tree
ecomputernotes
 
FLOW OF CONTROL-NESTED IFS IN PYTHON
vikram mahendra
 
Flag Waiving
Kevlin Henney
 
100 c interview questions answers
Sareen Kumar
 

Similar to Format string (20)

PPTX
C format string vulnerability
sluge
 
ODP
Format string vunerability
nuc13us
 
PPTX
Format String Attack
Mayur Mallya
 
PDF
2.Format Strings
phanleson
 
PDF
Wade not in unknown waters. Part two.
PVS-Studio
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
Sam Bowne
 
PPT
Buffer OverFlow
Rambabu Duddukuri
 
PPTX
[MOSUT] Format String Attacks
Aj MaChInE
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
PDF
CNIT 127: Ch 4: Introduction to format string bugs
Sam Bowne
 
PDF
CNIT 127: 4: Format string bugs
Sam Bowne
 
PPTX
Input and Output In C Language
Adnan Khan
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
PPTX
Pointers in C Language
madan reddy
 
PPT
When good code goes bad
SensePost
 
PDF
Format string vunerability
Cysinfo Cyber Security Community
 
PPTX
Chap 2 input output dti2143
alish sha
 
PPT
270_1_CIntro_Up_To_Functions.ppt
JoshCasas1
 
PPTX
C programming(part 3)
Dr. SURBHI SAROHA
 
PPTX
C language
TaranjeetKaur72
 
C format string vulnerability
sluge
 
Format string vunerability
nuc13us
 
Format String Attack
Mayur Mallya
 
2.Format Strings
phanleson
 
Wade not in unknown waters. Part two.
PVS-Studio
 
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
Sam Bowne
 
Buffer OverFlow
Rambabu Duddukuri
 
[MOSUT] Format String Attacks
Aj MaChInE
 
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
CNIT 127: Ch 4: Introduction to format string bugs
Sam Bowne
 
CNIT 127: 4: Format string bugs
Sam Bowne
 
Input and Output In C Language
Adnan Khan
 
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
Pointers in C Language
madan reddy
 
When good code goes bad
SensePost
 
Format string vunerability
Cysinfo Cyber Security Community
 
Chap 2 input output dti2143
alish sha
 
270_1_CIntro_Up_To_Functions.ppt
JoshCasas1
 
C programming(part 3)
Dr. SURBHI SAROHA
 
C language
TaranjeetKaur72
 
Ad

Recently uploaded (20)

PPTX
Destructive Tests corrosion engineer (1).pptx
zeidali3
 
PPTX
Solar Thermal Energy System Seminar.pptx
Gpc Purapuza
 
PDF
MAD Unit - 1 Introduction of Android IT Department
JappanMavani
 
PDF
GTU Civil Engineering All Semester Syllabus.pdf
Vimal Bhojani
 
PDF
Unified_Cloud_Comm_Presentation anil singh ppt
anilsingh298751
 
PPTX
Break Statement in Programming with 6 Real Examples
manojpoojary2004
 
DOCX
8th International Conference on Electrical Engineering (ELEN 2025)
elelijjournal653
 
PDF
Water Design_Manual_2005. KENYA FOR WASTER SUPPLY AND SEWERAGE
DancanNgutuku
 
PPTX
265587293-NFPA 101 Life safety code-PPT-1.pptx
chandermwason
 
PPTX
ISO/IEC JTC 1/WG 9 (MAR) Convenor Report
Kurata Takeshi
 
PPTX
Heart Bleed Bug - A case study (Course: Cryptography and Network Security)
Adri Jovin
 
PPTX
Types of Bearing_Specifications_PPT.pptx
PranjulAgrahariAkash
 
PDF
IoT - Unit 2 (Internet of Things-Concepts) - PPT.pdf
dipakraut82
 
PDF
Zilliz Cloud Demo for performance and scale
Zilliz
 
PPTX
Green Building & Energy Conservation ppt
Sagar Sarangi
 
PDF
Book.pdf01_Intro.ppt algorithm for preperation stu used
archu26
 
PDF
POWER PLANT ENGINEERING (R17A0326).pdf..
haneefachosa123
 
PPTX
Innowell Capability B0425 - Commercial Buildings.pptx
regobertroza
 
PPT
Oxygen Co2 Transport in the Lungs(Exchange og gases)
SUNDERLINSHIBUD
 
PPTX
REINFORCEMENT AS CONSTRUCTION MATERIALS.pptx
mohaiminulhaquesami
 
Destructive Tests corrosion engineer (1).pptx
zeidali3
 
Solar Thermal Energy System Seminar.pptx
Gpc Purapuza
 
MAD Unit - 1 Introduction of Android IT Department
JappanMavani
 
GTU Civil Engineering All Semester Syllabus.pdf
Vimal Bhojani
 
Unified_Cloud_Comm_Presentation anil singh ppt
anilsingh298751
 
Break Statement in Programming with 6 Real Examples
manojpoojary2004
 
8th International Conference on Electrical Engineering (ELEN 2025)
elelijjournal653
 
Water Design_Manual_2005. KENYA FOR WASTER SUPPLY AND SEWERAGE
DancanNgutuku
 
265587293-NFPA 101 Life safety code-PPT-1.pptx
chandermwason
 
ISO/IEC JTC 1/WG 9 (MAR) Convenor Report
Kurata Takeshi
 
Heart Bleed Bug - A case study (Course: Cryptography and Network Security)
Adri Jovin
 
Types of Bearing_Specifications_PPT.pptx
PranjulAgrahariAkash
 
IoT - Unit 2 (Internet of Things-Concepts) - PPT.pdf
dipakraut82
 
Zilliz Cloud Demo for performance and scale
Zilliz
 
Green Building & Energy Conservation ppt
Sagar Sarangi
 
Book.pdf01_Intro.ppt algorithm for preperation stu used
archu26
 
POWER PLANT ENGINEERING (R17A0326).pdf..
haneefachosa123
 
Innowell Capability B0425 - Commercial Buildings.pptx
regobertroza
 
Oxygen Co2 Transport in the Lungs(Exchange og gases)
SUNDERLINSHIBUD
 
REINFORCEMENT AS CONSTRUCTION MATERIALS.pptx
mohaiminulhaquesami
 
Ad

Format string

  • 1. Lecture Notes (Syracuse University) Format String Vulnerability: 1 Format String Vulnerability printf ( user input ); The above statement is quite common in C programs. In the lecture, we will find out what can go wrong if the program is running with privileges (e.g. Set-UID program). 1 Format String • What is a format string? printf ("The magic number is: %dn", 1911); The text to be printed is “The magic number is:”, followed by a format parameter ‘%d’, which is replaced with the parameter (1911) in the output. Therefore the output looks like: The magic number is: 1911. In addition to %d, there are several other format parameters, each having different meaning. The following table summarizes these format parameters: Parameter Meaning Passed as ------------------------------------------------------------------- %d decimal (int) value %u unsigned decimal (unsigned int) value %x hexadecimal (unsigned int) value %s string ((const) (unsigned) char *) reference %n number of bytes written so far, (* int) reference • The stack and its role at format strings The behavior of the format function is controlled by the format string. The function retrieves the parameters requested by the format string from the stack. printf ("a has value %d, b has value %d, c is at address: %08xn", a, b, &c);
  • 2. Lecture Notes (Syracuse University) Format String Vulnerability: 2 Addressof FormatString Valueofa Valueofb Adressofc printf()’s internal pointer Moving in this direction Stack Stack grows in this direction • What if there is a miss-match between the format string and the actual arguments? printf ("a has value %d, b has value %d, c is at address: %08xn", a, b); – In the above example, the format string asks for 3 arguments, but the program actually provides only two (i.e. a and b). – Can this program pass the compiler? ∗ The function printf() is defined as function with variable length of arguments. There- fore, by looking at the number of arguments, everything looks fine. ∗ To find the miss-match, compilers needs to understand how printf() works and what the meaning of the format string is. However, compilers usually do not do this kind of analysis. ∗ Sometimes, the format string is not a constant string, it is generated during the execution of the program. Therefore, there is no way for the compiler to find the miss-match in this case. – Can printf() detect the miss-match? ∗ The function printf() fetches the arguments from the stack. If the format string needs 3 arguments, it will fetch 3 data items from the stack. Unless the stack is marked with a boundary, printf() does not know that it runs out of the arguments that are provided to it. ∗ Since there is no such a marking. printf() will continue fetching data from the stack. In a miss-match case, it will fetch some data that do not belong to this function call. – What trouble can be caused by printf() when it starts to fetch data that is meant for it? 2 Attacks on Format String Vulnerability • Crashing the program printf ("%s%s%s%s%s%s%s%s%s%s%s%s");
  • 3. Lecture Notes (Syracuse University) Format String Vulnerability: 3 – For each %s, printf() will fetch a number from the stack, treat this number as an address, and print out the memory contents pointed by this address as a string, until a NULL character (i.e., number 0, not character 0) is encountered. – Since the number fetched by printf() might not be an address, the memory pointed by this number might not exist (i.e. no physical memory has been assigned to such an address), and the program will crash. – It is also possible that the number happens to be a good address, but the address space is protected (e.g. it is reserved for kernel memory). In this case, the program will also crash. • Viewing the stack printf ("%08x %08x %08x %08x %08xn"); – This instructs the printf-function to retrieve five parameters from the stack and display them as 8-digit padded hexadecimal numbers. So a possible output may look like: 40012980 080628c4 bffff7a4 00000005 08059c04 • Viewing memory at any location – We have to supply an address of the memory. However, we cannot change the code; we can only supply the format string. – If we use printf(%s) without specifying a memory address, the target address will be ob- tained from the stack anyway by the printf() function. The function maintains an initial stack pointer, so it knows the location of the parameters in the stack. – Observation: the format string is usually located on the stack. If we can encode the target address in the format string, the target address will be in the stack. In the following example, the format string is stored in a buffer, which is located on the stack. int main(int argc, char *argv[]) { char user_input[100]; ... ... /* other variable definitions and statements */ scanf("%s", user_input); /* getting a string from user */ printf(user_input); /* Vulnerable place */ return 0; } – If we can force the printf to obtain the address from the format string (also on the stack), we can control the address. printf ("x10x01x48x08 %x %x %x %x %s"); – x10x01x48x08 are the four bytes of the target address. In C language, x10 in a string tells the compiler to put a hexadecimal value 0x10 in the current position. The value will take up just one byte. Without using x, if we directly put "10" in a string, the ASCII values of the characters ’1’ and ’0’ will be stored. Their ASCII values are 49 and 48, respectively.
  • 4. Lecture Notes (Syracuse University) Format String Vulnerability: 4 – %x causes the stack pointer to move towards the format string. – Here is how the attack works if user input[] contains the following format string: "x10x01x48x08 %x %x %x %x %s". ... Addressofuser_input[] 0x10014808 user_input [ ] %s %x %x %x %x Print this for the 1st %x Print this for the 4th %x For %s: print out the contents pointed by this address Print out the contents at the address 0x10014808 using format-string vlunerability – Basically, we use four %x to move the printf()’s pointer towards the address that we stored in the format string. Once we reach the destination, we will give %s to print(), causing it to print out the contents in the memory address 0x10014808. The function printf() will treat the contents as a string, and print out the string until reaching the end of the string (i.e. 0). – The stack space between user input[] and the address passed to the printf() function is not for printf(). However, because of the format-string vulnerability in the program, printf() considers them as the arguments to match with the %x in the format string. – The key challenge in this attack is to figure out the distance between the user input[] and the address passed to the printf() function. This distance decides how many %x you need to insert into the format string, before giving %s. • Writing an integer to nearly any location in the process memory – %n: The number of characters written so far is stored into the integer indicated by the corre- sponding argument. int i; printf ("12345%n", &i); – It causes printf() to write 5 into variable i. – Using the same approach as that for viewing memory at any location, we can cause printf() to write an integer into any location. Just replace the %s in the above example with %n, and the contents at the address 0x10014808 will be overwritten.
  • 5. Lecture Notes (Syracuse University) Format String Vulnerability: 5 – Using this attack, attackers can do the following: ∗ Overwrite important program flags that control access privileges ∗ Overwrite return addresses on the stack, function pointers, etc. – However, the value written is determined by the number of characters printed before the %n is reached. Is it really possible to write arbitrary integer values? ∗ Use dummy output characters. To write a value of 1000, a simple padding of 1000 dummy characters would do. ∗ To avoid long format strings, we can use a width specification of the format indicators. • Countermeasures. – Address randomization: just like the countermeasures used to protect against buffer-overflow attacks, address randomization makes it difficult for the attackers to find out what address they want to read/write.