Page History

Never call a formatted I/O function with a format string containing user input.a tainted value .  An attacker who can fully or partially control the contents of a format string can crash a vulnerable process, view the contents of the stack, view memory content, or write to an arbitrary memory location. Consequently, the attacker can execute arbitrary code with the permissions of the vulnerable process [Seacord 20132013b].Formatted  Formatted output functions are particularly dangerous because many programmers are unaware of their capabilities. ( For example, they can formatted output functions can be used to write an integer value to a specified address using the %n conversion specifier.)

Noncompliant Code Example

This noncompliant code example shows the The incorrect_password() function , which in this noncompliant code example is called during identification and authentication to display an error message if the specified user is not found or the password is incorrect. The function accepts the name of the user as a string referenced by user. This is an excellent example exemplar of untrusted data that originates from an untrusted, unauthenticated user. The function constructs an error message that is then output to stderr using the C Standard fprintf() function.

...

The incorrect_password() function calculates the size of the message, allocates dynamic storage, and then constructs the message in the allocated memory using the snprintf() function. The addition operations are not checked for integer overflow because the string referenced by user is known to have a length of 256 or less. Because the %s characters are replaced by the string referenced by user in the call to snprintf(), 1 less byte is required to store the resulting string and terminating null-byte character. This idiom needs 1 byte less than is allocated. The snprintf() function is commonly used for displaying the same message messages that are displayed in multiple locations or when the message is messages that are difficult to build. The However, the resulting code contains a format-string vulnerability, however, because the msg includes untrusted user input and is passed as the format-string argument in the call to fprintf().

...

This compliant solution fixes the problem by replacing the fprintf() call with a call to fputs(), which does not treat msg like a format string but outputs it to stderr as isoutputs msg directly to stderr without evaluating its contents:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
void incorrect_password(const char *user) {
  int ret;
  /* User names are restricted to 256 or fewer characters */
  static const char msg_format[] = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *)malloc(len);
  if (msg == NULL) {
    /* Handle error */
  }
  ret = snprintf(msg, len, msg_format, user);
  if (ret < 0) { 
    /* Handle error */ 
  } else if (ret >= len) { 
    /* Handle truncated output */ 
  }
  if (fputs(msg, stderr) == EOF) {
    /* Handle error */
  }
  ;
  free(msg);
}

Compliant Solution (fprintf())

This simpler compliant solution passes the untrusted user input as one of the variadic arguments to fprintf() and not as part of the format string, eliminating the possibility of a format-string vulnerability:

...

This noncompliant code example is exactly similar to the same as the first noncompliant code example but uses the POSIX function syslog() [IEEE Std 1003.1:2013] instead of the fprintf() function. The syslog() function is also susceptible to format-string vulnerabilities:.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
 
void incorrect_password(const char *user) {
  int ret;
  /* User names are restricted to 256 or fewer characters */
  static const char msg_format[] = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *)malloc(len);
  if (msg !== NULL) {
    /* Handle error */
  }
  ret = snprintf(msg, len, msg_format, user);
  if (ret < 0) { 
    /* Handle error */ 
  } else if (ret >= len) { 
    /* Handle truncated output */ 
  }
  syslog(LOG_INFO, msg);
  free(msg);
}

...

Failing to exclude user input from format specifiers may allow an attacker to crash a vulnerable process, view the contents of the stack, view memory content, or write to an arbitrary memory location and consequently execute arbitrary code with the permissions of the vulnerable process.

Automated Detection

Related Vulnerabilities

Two Two recent examples of format-string vulnerabilities resulting from a violation of this rule include include Ettercap and  and Samba.

In Ettercap v.NG-0.7.2, the the ncurses user  user interface suffers from a format-string defect. The The curses_msg() function in  function in ec_curses.c calls  calls wdg_scroll_print(), which takes a format string and its parameters and passes it to to vw_printw(). The The curses_msg() function  function uses one of its parameters as the format string. This input can include user data, allowing for a format-string vulnerability.

The Samba AFS ACL mapping VFS plug-in fails to properly properly sanitize user user-controlled file names that are used in a format specifier supplied to to snprintf(). This This security flaw becomes  becomes exploitable when a user can write to a share that uses Samba's s afsacl.so library  library for setting Windows NT access control lists on files residing on an AFS file system.

Automated Detection

...

Tool

...

Version

...

Checker

...

Description

...

Compass/ROSE

...

...

Fortify SCA

...

5.0

...

Can detect violations of this rule when the -Wformat-security flag is used

...

Klocwork

...

SV.FMTSTR.GENERIC
SV.TAINTED.FMTSTR

...

LDRA tool suite

...

86 D

...

Splint

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Bibliography

...

...

Image Modified Image Modified Image Modified