...
| Wiki Markup |
|---|
An attacker who can fully or partially control the contents of a format string can crash a vulnerable process, view the contents of the stack, view memory content, or write to an arbitrary memory location, and, consequently, execute arbitrary code with the permissions of the vulnerable process \[[Seacord 05a2005a|AA. Bibliography#Seacord 05]\]. |
Formatted output functions are particularly dangerous because many programmers are unaware of their capabilities. (for For example, they can write an integer value to a specified address using the %n conversion specifier.).
Noncompliant Code Example
| Wiki Markup |
|---|
This noncompliant code example shows the {{incorrect_password()}} function, which is called during identification and authentication if the specified user is not found, or the password is incorrect, to display an error message. The function accepts the name of the user as a null-terminated byte string referenced by {{user}}. This is an excellent example of data that originates from an untrusted, unauthenticated user. The function constructs an error message which is then output to {{stderr}} using the C99 standard {{fprintf()}} function \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\]. |
...
| Wiki Markup |
|---|
This noncompliant code example is exactly the same as the first noncompliant code example but uses the POSIX function {{syslog()}} \[[Open Group 042004|AA. Bibliography#Open Group 04]\] instead of the {{fprintf()}} function, which is also susceptible to format-string vulnerabilities. |
...
Two recent examples of format-string vulnerabilities resulting from a violation of this rule include Ettercap and Samba.
In Ettercap v.NG-0.7.2, the ncurses user interface suffers from a format string defect. The curses_msg() function in ec_curses.c calls wdg_scroll_print(), which takes a format string and its parameters and passes it to vw_printw(). The curses_msg() function uses one of its parameters as the format string. This input can include user data, allowing for a format string vulnerability.
The Samba AFS ACL mapping VFS plug-in fails to properly sanitize user-controlled file names that are used in a format specifier supplied to snprintf(). This security flaw becomes exploitable when a user can write to a share that uses Samba's afsacl.so library for setting Windows NT access control lists on files residing on an AFS file system.
Automated Detection
Tool | Version | Checker | Description |
|---|---|---|---|
|
...
|
...
Splint Version 3.1.1 can detect violations of this rule.
...
|
| ||||||||||||
|
|
|
| ||||||||||
|
|
|
|
...
|
...
|
|
| ||||||||||
|
|
|
...
|
...
|
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
Related Guidelines
CERT This rule appears in the C++ Secure Coding Standard as : FIO30-CPP. Exclude user input from format strings.This rule appears in the Java
The CERT Oracle Secure Coding Standard as FIO35for Java: FIO09-J. Exclude user input from format strings.
...
Wiki Markup
ISO/IEC PDTR 24772]\] "RST Injection"
MITRE CWE: CWE-134, "Uncontrolled Format String"
Bibliography
| Wiki Markup |
|---|
\[[MITRE 07|AA. Bibliography#MITRE 07]\] [CWE ID 134|http://cwe.mitre.org/data/definitions/134.html], "Uncontrolled Format String" \[[Open Group 042004|AA. Bibliography#Open Group 04]\] [{{syslog()}}|http://www.opengroup.org/onlinepubs/009695399/toc.htm] \[[Seacord 052005|AA. Bibliography#Seacord 05]\] Chapter 6, "Formatted Output" \[[Viega 052005|AA. Bibliography#Viega 05]\] Section 5.2.23, "Format string problem" |
...