...
This noncompliant code example is similar to the first noncompliant code example but uses the POSIX function syslog() [IEEE Std 1003.1:2013] instead of the fprintf() function. The syslog() function is also susceptible to format-string vulnerabilities.
...
Two examples of format-string vulnerabilities resulting from a violation of this rule include Ettercap and Samba.
In Ettercap v.NG-0.7.2, the ncurses user interface suffers from a format-string defect. The curses_msg() function in ec_curses.c calls wdg_scroll_print(), which takes a format string and its parameters and passes it to vw_printw(). The curses_msg() function uses one of its parameters as the format string. This input can include user data, allowing for a format-string vulnerability.
The Samba AFS ACL mapping VFS plug-in fails to properly sanitize user-controlled file names that are used in a format specifier supplied to snprintf(). This security flaw becomes exploitable when a user can write to a share that uses Samba's afsacl.so library for setting Windows NT access control lists on files residing on an AFS file system.
...
| CERT Oracle Secure Coding Standard for Java | IDS06-J. Exclude unsanitized user input from format strings |
| CERT Perl Secure Coding Standard | IDS30-PL. Exclude user input from format strings |
| ISO/IEC TR 24772:2013 | Injection [RST] |
| ISO/IEC TS 17961:2013 | Including tainted or out-of-domain input in a format string [usrfmt] |
| MITRE CWE | CWE-134, Uncontrolled Format String |
Bibliography
| [IEEE Std 1003.1:2013] | XSH, System Interfaces, syslog |
| [Seacord 2013b] | Chapter 6, "Formatted Output" |
| [Viega 2005] | Section 5.2.23, "Format String Problem" |
...