Sin 2: Format String Problems

Overview of the Sin

Format string problems are one of the few truly new attacks to surface in recent years . One of the first mentions of format string bugs was on June 23, 2000, in a post by Lamagra Argamal (www.securityfocus.com/archive/1/66842); Pascal Bouchareine more clearly explained them almost a month later (www.securityfocus.com/archive/1/70552). An earlier post by Mark Slemko (www.securityfocus.com/archive/1/10383) noted the basics of the problem, but missed the ability of format string bugs to write memory.

As with many security problems, the root cause of format string bugs is trusting user -supplied input without validation. In C/C++, format string bugs can be used to write to arbitrary memory locations, and the most dangerous aspect is that this can happen without tampering with adjoining memory blocks. This fine-grained capability allows an attacker to bypass stack protections , and even modify very small portions of memory. The problem can also occur when the format strings are read from an untrusted location the attacker controls. This latter aspect of the problem tends to be more prevalent on UNIX and Linux systems. On Windows systems, application string tables are generally kept within the program executable, or resource Dynamic Link Libraries (DLLs). If an attacker can rewrite the main executable or the resource DLLs, the attacker can perform many more straightforward attacks than format string bugs.

Even if youre not dealing with C/C++, format string attacks can still lead to considerable problems. The most obvious is that users can be misled, but under some conditions, an attacker might also launch cross-site scripting or SQL injection attacks. These can be used to corrupt or transform data as well.