3. 3
Format String Vulnerability: Overview
Format string vulnerability class was discovered in 2001
Format string vulnerabilities are a class of vulnerabilities that take advantage of an easily
avoidable programmer error. If the programmer passes an attacker-controlled buffer as an
argument to a printf* function, the attacker can perform read and writes access to
arbitrary memory addresses.
4. 4
Format String Vulnerability: Overview
• Format string vulnerability denial of service attacks are characterized by utilizing multiple
instances of the “%s” format specifier to read data off of the stack until the program
attempts to read data from an illegal address, which will cause the program to crash.
• Format string vulnerability reading attacks typically utilize the %x format specifier to
print sections of memory or stack that we do not normally have access to.
• Format string vulnerability writing attacks utilize the %d, %u or %x format specifiers to
overwrite the Instruction Pointer and force execution of user-supplied shell code.
7. 7
Format String Vulnerability: Definition
A format string is a way of telling the C compiler how it should format numbers and other
values when it prints them or store to the buffer. It is a ASCII string used to specify and
control the representation of different variables.
In the C programming language there are a number of functions which accept a format
string as an argument: fprintf, printf, sprintf, snprintf, vfprintf, vprintf, vsprintf, vsnprintf. OS
specific: syslog, setproctitle etc.
8. 8
Format String Vulnerability: Definition
They called variadic functions: accept variable number of arguments. Arguments are
expected to be placed on the stack.
Function prototype:
int printf(const char *format, ...);
printf (“The area code is: %d”, 505);
9. 9
Format String Vulnerability: Format specifiers
Format Conversion specifiers:
%d The int argument is converted to signed decimal notation
%s The const char * argument is expected to be a pointer to an array of character
type
%x The unsigned int argument is converted to unsigned hexadecimal (x and X)
%p The void * pointer argument is printed in hexadecimal (as if by %#x or %#lx)
%100x Writes 100 spaces to the output before variable
%n The number of characters written so far is stored into the integer pointed to by
the corresponding argument.
%2$x Ignore the first parameter and prints the second parameter from the argument
list
10. 10
С++ Secure Coding: Program Stack
Format string vulnerability is very close to the buffer overflow vulnerability.
• The stack itself can be viewed as a kind of buffer
• The size of that buffer is determined by the number and size of the arguments passed
to a function
• Providing a incorrect format string thus induces the program to overflow that
“buffer”
11. 11
С++ Secure Coding: sprintf
sprintf is particularly interesting from a security standpoint because it "prints"
formatted data to a buffer. Aside from the possibility of a format-string vulnerability,
using this particular function can lead to buffer overflow vulnerabilities and should
usually be replaced with its length-checking cousin snprintf.
12. 12
Format String Vulnerability: Examples
Format Conversion advantages:
• printf(“%1000x”, l); //Space padding is 1000 symbols
0
• printf(“%2$x”, 1, 2, 3); //Direct parameter access. Issues on gcc “invalid %N$
use detected”
2
• printf(“%200$x”)
• printf(“%n”, &some_variable); //Writes four bytes
• printf(“%hn”, &some_variable); //Writes two bytes
• printf(“%100x%2$hn”, 0, &some_variable); //Writes 100 to 2 bytes to
“some_variable”
0
13. 13
Format String Vulnerability: Examples
• printf(“%s”): prints bytes pointed to by that stack entry
:(��•
• printf(“%d %d %d %d”): prints a series of stack entries as integers
-735270568 0 4195808 1871788256
• printf(“%08x %08x %08x %08x”): same but nicely formatted hex
27e37e68 00000000 004005e0 dadd58e0
• printf(“100% dave”): prints stack entry 4 bytes above the saved %eip because
format ignores spaces between “%d” and “d”
100-1973053272ave
• printf(“100% no way!”): writes the number 3 to address pointed to by stack
entry. %n ignores all spaces between “%” and “n”
100o way!
14. 14
Format String Vulnerability: Attacks
• Crashing the program: printf ("%s%s%s%s%s%s%s%s%s%s%s%s");
• Viewing the stack: printf ("%08x %08x %08x %08x %08xn");
• Viewing memory at any location
• Writing an integer to nearly any location in the process memory
15. 15
Format String Vulnerability: Program Stack
Types of programs memory:
Text: This is where the code for the program is.
Initialized data: This is where global variables that have been declared and given a value
are stored.
Uninitialized data/BSS: This is where global variables that have been declared but not
given a value are stored.
Stack: The stack keeps track of the program execution and stores local variables. We'll talk
about the stack more soon.
Heap: The heap is where dynamic memory allocation takes place. A programmer can utilize
the heap to store variables which are only needed for a short period of time and so can be
removed from memory later to optimize the program.
16. 16
Format String Vulnerability: Program Stack
Stack keeps track of what function is being executed and the local variables that are
defined within that function.
When a function is called, a data structure called a stack frame is created.
Each function has its own stack frame which contains
• local variables for that function,
• parameters passed to the function when it was called,
• return address which specifies what instruction the program should execute next once
the function is done.
The ESP register stores current stack pointer
20. 20
С++ Secure Coding: Program Stack
fmt
addr
return address
saved ebp
local_var
fmt_string
return address
void test (void* addr, char* fmt)
{
int local_var = 0;
printf(fmt);
}
21. 21
С++ Secure Coding: The exploit
arg6
arg5
arg4
arg3
arg2
fmt_string
return address
addr = 0x41414141;
fmt = “%p %p %p %p %p”
void test (void* addr, char* fmt)
{
int local = 0;
printf(fmt);
}
22. 22
С++ Secure Coding: Program Stack
fmt
addr
return address
saved ebp
local
fmt_string
return address
addr = 0x41414141;
fmt = “%p %p %p %p %p”
void test (void* addr, char* fmt)
{
int local = 0;
printf(fmt);
}
“0x0, 0xfffca010 0x8040a10 0x41414141
0xfffeafa0”
23. 23
С++ Secure Coding: Program Stack
fmt
addr
return address
saved ebp
local
fmt_string
return address
addr = 0x41414141;
fmt = “%4$p”
void test (void* addr, char* fmt)
{
int local = 0;
printf(fmt);
}
“0x41414141”
24. 24
С++ Secure Coding: Program Stack
fmt
addr
return address
saved ebp
local
fmt_string
return address
addr = 0x41414141;
fmt = “%0100x%4$p”
void test (void* addr, char* fmt)
{
int local = 0;
printf(fmt);
}
“<…100 0..>0x41414141”
25. 25
С++ Secure Coding: Program Stack
fmt
addr
return address
saved ebp
local
fmt_string
return address
addr = 0x41414141;
fmt = “%0100x%4$n”
void test (void* addr, char* fmt)
{
int local = 0;
printf(fmt);
}
“<…100 0..> write 100 to addr” written 100 to
0x41414141
26. 26
Format String Vulnerability: Sudo format string vunerability
Feb 2012: “sudo format string vulnerability” CVE-2012-0809 allows to get root shell for
any logged in user. Most of Linux distributives were affected: Fedora, Ubuntu, Debian,
etc.
It looks like sudo creators didn’t use or ignore GCC format-related compilation flags or
warnings.
Top level projects that were affected to format string vulnerability: Axiom mail server,
Pigeon instant messenger, CUPS (Common Unix Printing System)
27. 27
Format String Vulnerability: sudo format string vulnerability
void sudo_debug(int level, const char *fmt, ...) {
va_list ap; char *fmt2;
if (level > debug_level) return;
/* Backet fmt with program name and a newline to make it a single
write */
easprintf(&fmt2, "%s: %sn", getprogname(), fmt);
va_start(ap, fmt);
vfprintf(stderr, fmt2, ap);
va_end(ap);
efree(fmt2);
}
Here getprogname() is argv[0] and by this user controlled. So argv[0] goes to fmt2 which
then gets vfprintf()-ed to stderr. The result is a Format String vulnerability. Exploit.
28. 28
Format String Vulnerability: Demo “Dead beef”
#include <stdio.h>
int num1 = 0xdead;
int main(int argc, char **argv){
int num2 = 0xbeef;
int *ptr = &num1;
printf(argv[1]);
if (0xabc == num1)
printf(“Global done");
if(0xdef == num2)
printf(“Local done");
printf("n num1: 0x%x [%p] num2: 0x%x [%p]n", num1, &num1, num2,
&num2);
return 0;
}
29. 29
Format String Vulnerability: Mitigations
The good thing about format-string vulnerabilities is that they are relatively easy to find in a
source-code audit.
• Always specify a format string as part of program, not as an input. Most format string
vulnerabilities are solved by specifying “%s” as format string and not using the data
string as format string.
• Number of arguments should be the same as number of format specifiers.
• -fstack-protector (alloca and buffers > 8 bytes)
• -fstack-protector-all
• FormatGuard: Automatic Protection From printf Format String Vulnerabilities
30. 30
Format String Vulnerability: Mitigations
Address randomization: just like the countermeasures used to protect against buffer-
overflow attacks, address randomization makes it difficult for the attackers to find out what
address they want to read/write.
# cat /proc/sys/kernel/randomize_va_space
2
# sysctl -a --pattern randomize
kernel.randomize_va_space = 2
0 = Disabled
1 = Conservative Randomization
2 = Full Randomization
To support ASLR an application should be build against “Position Independent Executable”
(PIE) support. GCC “-fPIE” option is used for it
31. 31
Format String Vulnerability: _FORTIFY_SOURCE
• _FORTIFY_SOURCE is a kind of GCC feature test macro (man 7 feature_test_macros)
• gcc -D_FORTIFY_SOURCE=1 adds checks at compile-time only (some headers are necessary as #include
<string.h>)
• gcc -D_FORTIFY_SOURCE=2 also adds additional checks at run-time (detected buffer overflow terminates
the program)
32. 32
Format String Vulnerability: _FORTIFY_SOURCE
*** %n in writable segment detected ***
Aborted
On x86, use of "%n" in a format string is limited to read-only memory (not stack or heap allocated strings).
*** invalid %N$ use detected ***
Aborted (core dumped)
Format string positional values are being skipped, which means their type (and size on the stack) cannot be
checked. This could cause unexpected results including stack content leaks, especially when using %n. This is
invalid, for example: printf("%2$sn", 0, "Test"); because position 1 is skipped.
33. 33
Format String Vulnerability: Mitigations
• VC: Possible to use VC SAL annotation “_Printf_format_string_” tell compiler to validate
the format string:
#define FORMAT_STRING(p) _Printf_format_string_ p
extern void log_error(FORMAT_STRING(const char* format), ...);
• GCC: __attribute__(__format__)
format (archetype, string-index, first-to-check)
extern int
my_printf (void *my_object, const char *my_format, ...)
__attribute__ ((format (printf, 2, 3)));
34. 34
Format String Vulnerability: Format security
-Wformat: Check calls to printf and scanf, etc., to make sure that the arguments supplied
have types appropriate to the format string specified, and that the conversions specified in
the format string make sense.
-Wformat-security: If -Wformat is specified warns about calls to printf and scanf functions
where the format string is not a string literal and there are no format arguments, as in
printf (foo)
-Wformat-nonliteral:If -Wformat is specified, also warn if the format string is not a string
literal and so cannot be checked
35. 35
Format String Vulnerability: Format security
Enables compile-time warnings about misuse of format strings, some of which can have security
implications.
Failure examples:
warning: format ‘%s’ expects type ‘char *’, but argument 3 has type ‘int’
For packages that aren't already building with -Wall, format character to argument types will be
checked. Verify the correct variables for a given format string.
36. 36
Format String Vulnerability: Format security
warning: format not a string literal and no format arguments
This is caused by code that forgot to use "%s" for a *printf function. For example:
fprintf(stderr,buf);
should be:
fprintf(stderr,"%s",buf);
Disabled with -Wno-format-security or -Wformat=0 in CPPFLAGS.
37. 37
Format String Vulnerability: Automation code scan
• RATS, the Rough Auditing Tool for Security is a free source-code scanner
• Flawfinder: Open source scanner that examines C/C++ source code and reports possible
security weaknesses
• Veracode: commercial code scanner