Format String Vulnerabilities
C++ and strings
The C++ programming language has a couple of different variable types designed to manage text data. These include C strings, which are defined as arrays of characters, and the C++ string data type.
These types of variables can be used for a variety of different purposes. The most visible is printing messages to the console, but strings can also be used to read from and write to files, can be copied from one memory buffer to another, etc.
Learn Secure Coding
An array of C++ functions exist for C++ string manipulation. These include functions like printf and scanf.
The definitions of these functions include a requirement for a format string. This format string can either be a self-contained string to be printed, copied and so on, or it can draw from other variables to build the final string. A failure to use this format string properly creates vulnerabilities in a C++ application.
What are format specifiers?
A C++ format string can be a simple collection of characters. However, this is not a requirement. C++ also permits the use of format specifiers to enable functions like printf to take additional arguments and use them to build the final string.
Some of the more commonly used format specifiers include %d and %i (printing integers), %f (printing floating point numbers) and %s (printing a C string).
However, a number of other format string specifiers exist as well. Some of the more useful ones include:
- %h: Printing the contents of the indicated memory address in hexadecimal
- %p: Printing memory as a pointer
- %n: Writing the number of values printed so far to the indicated memory address
Used properly, format strings and format specifiers enable a developer to perform a number of useful operations in an efficient and compact manner. However, these same format specifiers can also be abused as part of an attack.
How the printf function works
Understanding the risk posed by format strings and format string specifiers requires an awareness of how the printf function and similar functions are defined, and how the stack works within an application.
When looking at the function definitions for the C++ printf function, you’ll notice that the definition includes a single argument (format) followed by an ellipse. This ellipse indicates that the printf function can take a variable number of arguments. At a minimum, it requires the format argument. An example of this would be something like the statement printf(“Hello World!”); . In this case, the string Hello World! is the format string used by printf.
However, printf’s format string can also include format specifiers. For example, an application may want to greet a particular user. One option is to use string concatenation followed by a printf statement:
string greeting = “Hello “;
greeting += input;
greeting += “!n”;
printf(greeting);
While this is effective, it is inefficient. A format string specifier can be used to achieve the same goal much more cleanly. The following statement achieve the same goal of printing a greeting for the user:
printf(“Hello %s!n”,input);
In this example, when printf is called, it receives two arguments. In addition to the format string, the C string input is pushed onto the stack. The printf function pops both arguments off of the stack, replaces the %s format specifier with the corresponding variable and prints the result for the user.
The variable number of arguments in printf is extremely useful. The added flexibility that it provides removes the need for clunky statements like the first example. However, printf’s structure also creates the potential for exploitation if the function is not used correctly.
Misuse of format strings creates vulnerabilities
The definition of printf assumes that a developer will always use a defined format string with additional arguments to handle any untrusted user input. However, this is not always the case.
A developer wishing to echo a user’s input back to the command line may choose to use a simple statement like printf(input”); . Since the user input is likely a C string (or can be converted to one easily), this won’t throw any errors.
However, this design gives the user control over how the printf function works and enables them to use format string specifiers. The image below shows an example of what happens if a malicious user enters an input of %x%x%x%x.
As shown in the image above, two interpretations exist for the purpose of the variables on the stack.
On the left is the calling function’s view of the stack (the true one). Since the developer’s program is not aware that the user entered a string including format string specifiers, the only variable that it pushes to the stack before the call to printf is the user-provided format string. It expects printf to only request one argument.
The other interpretation of the stack is on the right. This is printf’s interpretation of the stack. When it pops and reads its format string, it sees four format specifiers (each %x). It then goes to the stack and pops the variables that it needs to fill these specifiers and prints the resulting string.
The end result of this attack is printing values off of the stack, which may reveal sensitive data stored there. However, this is not the only way that format strings can be exploited. The use of %n allows a user to write to an address that they specify, potentially rewriting crucial values or crashing the program.
Secure string operations with C++
Functions like printf are designed to take a format string and a variable number of arguments that are based on the contents of the format string. C++ developers should always specify their own format string, especially if processing untrusted input. A failure to do so allows a user to define their own, malicious format string.
Learn Secure Coding
Sources
Learn Secure Coding
Get hands-on experience with common coding mistakes, how they can be exploited and possible mitigations. Learn secure coding in:- Android and iOS
- C/C++, Java, .NET and PHP
- And more
In this Series
- Format String Vulnerabilities
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding