Category list

Spotting the Sin Pattern

Any application that takes user input and passes it to a formatting function is potentially at risk. One very common instance of this sin happens in conjunction with applications that log user input. Additionally, some functions may implement formatting internally.

Spotting the Sin During Code Review

In C/C++, look for functions from the printf family. Problems to look for are

printf(user_input);
fprintf(STDOUT, user_input);

If you see a function that looks like this:

fprintf(STDOUT, msg_format, arg1, arg2);

then you need to verify where the string referenced by msg_format is stored and how well it is protected.

There are many other system calls and APIs that are also vulnerablesyslog is one example. Any time you see a function definition that includes in the argument list, youre looking at something that is likely to be a problem.

Many source code scanners , even the lexical ones like RATS and flawfinder, can detect this. Theres even PScan (www.striker.ottawa.on.ca/~aland/pscan/), which was designed specifically for this.

There are also countering tools that can be built into the compilation process. For example, theres Crispin Cowans FormatGuard: http://lists.nas.nasa.gov/archives/ext/linux-security-audit/2001/05/msg00030.html .

Testing Techniques to Find the Sin

Pass formatting specifiers into the application and see if hexadecimal values are returned. For example, if you have an application that expects a file name and returns an error message containing the input when the file cannot be found, then try giving it file names like NotLikely%x%x.txt . If you get an error message along the lines of "NotLikely12fd234104587.txt cannot be found," then you have just found a format string vulnerability.

This is obviously somewhat language-dependent; you should pass in the formatting specifiers that are used by the implementation language youre using at least. However, since many language run times are implemented in C/C++, youd be wise to also send in C/C++ formatting string commands to detect cases where your underlying library has a dangerous vulnerability.

Note that if the application is web based and echoes your user input back to you, another concern would be cross-site scripting attacks.

Example Sins

The following entries in Common Vulnerabilities and Exposures (CVE) at http:// cve.mitre.org are examples of SQL injection. Out of the 188 CVE entries that reference format strings, this is just a sampling.

CVE-2000-0573

From the CVE description: The lreply function in wu- ftpd 2.6.0 and earlier does not properly cleanse an untrusted format string, which allows remote attackers to execute arbitrary commands via the SITE EXEC command.

This is the first publicly known exploit for a format string bug. The title of the BUGTRAQ post underscores the severity of the problem: Providing *remote* root since at least 1994.

CVE-2000-0844

From the CVE description: Some functions that implement the locale subsystem on UNIX do not properly cleanse user -injected format strings, which allows local attackers to execute arbitrary commands via functions such as gettext and catopen.

The full text of the original advisory can be found at www.securityfocus.com/archive/1/80154, and this problem is especially interesting because it affects core system APIs for most UNIX variants (including Linux), except for BSD variants due to the fact that the NLSPATH variable is ignored for privileged suid application in BSD. This advisory, like many CORE SDI advisories, is especially well written and informative and gives a very thorough explanation of the overall problem.

Buy on amazon.com >>

Howard M., LeBlanc D., Viega J.

<< Previous page

Table of contents

Next page >>