| ||
In C/C++, look for functions from the printf family. Problems to look for are
printf(user_input); fprintf(STDOUT, user_input);
If you see a function that looks like this:
fprintf(STDOUT, msg_format, arg1, arg2);
then you need to verify where the string referenced by msg_format is stored and how well it is protected.
There are many other system calls and APIs that are also vulnerablesyslog is one example. Any time you see a function definition that includes in the argument list, youre looking at something that is likely to be a problem.
Many source code scanners , even the lexical ones like RATS and flawfinder, can detect this. Theres even PScan (www.striker.ottawa.on.ca/~aland/pscan/), which was designed specifically for this.
There are also countering tools that can be built into the compilation process. For example, theres Crispin Cowans FormatGuard: http://lists.nas.nasa.gov/archives/ext/linux-security-audit/2001/05/msg00030.html .