search

Format String Exploitation

Exploiting format string flaw

A Format String attack can occur when an input string data is processed by a vulnerable function so that attacker can pass the formats to exploit the stack values with the help of format string functions/printf() family functions.

hashtag
Common Formats in Printf() Family

  1. %c — Formats a single character

  2. %d — Formats an integer in decimal value

  3. %f — Formats float in decimal value

  4. %p — Formats a pointer to address location

  5. %s — Formats a string

  6. %x — Formats a hexadecimal value

  7. %n — Number of bytes written

hashtag
Vulnerable Functions to Format String

  1. printf()

  2. fprintf()

  3. sprintf()

  4. vprintf()

  5. snprintf()

  6. vsnprintf()

  7. vfprintf()

hashtag
Vulnerable code example

Compiling this binary with GCC (no flags)

When we pass a normal string data, it prints it successfully

If we pass beyond the buffer it gets crashed. But if we pass string with format values, it gives us the random stack values which is being popped from it:

hashtag
Other Scenarios

hashtag
Mitigation

  1. Use format strings corresponding to the assigned variables

  2. Use of “%s” as format string can make the whole input as a single string

  3. Use arguments to call values and functions

  4. Defensive strategy like ‘format_gaurd’ can be used

hashtag
References

LogoGitHub - arthaud/formatstring: Format string exploitation helperGitHubchevron-right
LogoAttacking SSL VPN - Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as Case Study!Orange Tsaichevron-right
LogoEXPLOITING FORMAT STRING VULNERABILITYMediumchevron-right
LogoFormat string attack | OWASP Foundationowasp.orgchevron-right
LogoFormat String ExploitMediumchevron-right

PreviousFinding SSRF (all scope)NextCache Poisoning using Nuclei

Last updated