Format String Bugs

Format String Bugs

Format string bugs aren t exactly a buffer overflow, but because they lead to the same problems, I ll cover them here. Unless you follow security vulnerability mailing lists closely, you might not be familiar with this problem. You can find two excellent postings on the problem in BugTraq: one is by Tim Newsham and is available at www.securityfocus.com/archive/1/81565, and the other is by Lamagra Argamal and is available at www.securityfocus.com/archive/1/66842. The basic problem stems from the fact that there isn t any realistic way for a function that takes a variable number of arguments to determine how many arguments were passed in. (The most common functions that take a variable number of arguments, including C run-time functions, are the printf family of calls.) What makes this problem interesting is that the %n format specifier writes the number of bytes that would have been written by the format string into the pointer supplied for that argument. With a bit of tinkering, we find that somewhat random bits of our process s memory space are now overwritten with the bytes of the attacker s choice. A large number of format string bugs have been found in UNIX and UNIX-like applications over the last year. Exploiting such bugs is a little difficult on Windows systems only because many of the chunks of memory we d like to write are located at 0x00ffffff or below for example, the stack will normally be found in the range of approximately 0x00120000.

The fix to the problem is relatively simple: always pass in a format string to the printf family of functions. For example, printf(input); is exploitable, and printf("%s", input); is not exploitable.

Despite the fact that I didn t include a demo application, always remember that if you allow an attacker to start writing memory anywhere in your application, it s just a matter of time before he figures out how to turn it into a crash or execution of arbitrary code. This bug is fairly simple to avoid. Take special care if you have custom format strings stored to help with versions of your application in different languages. If you do, make sure that the strings can t be written by unprivileged users.



Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2005
Pages: 153

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net