Chapter 9: Format String Attacks

Now that you have learned how overflows work, let s build on this knowledge about the call stack and CPU (covered in the previous chapter on buffer overflows) to understand a clever attack known as the format string attack. Imagine a fantastic opportunity for malicious hackers that existed for years in plain sight in the core C language specification. In addition to showing how these creative attacks work and describing ways to test for them, this chapter walks you through a demonstration of just how easily software flaws can be exploited.

Important  

Format string attacks aren t limited to C programs running on the Microsoft Windows operating system: as with buffer overflows, you can find vulnerable programs for Linux, BSD, and MacOS, embedded systems, and other platforms and environments. Consider, for example, that some Perl scripts are vulnerable to format string attacks ( http://www.securityfocus.com/archive/1/418460/30/30 ). Even Java isn t immune to these attacks! The Security Focus Web site ( http://www.securityfocus.com/bid/15079/discuss ) includes more details on a case in which VERITAS Netbackup allowed for remote system compromise by a format string attack. Just because a program isn t written in the C programming language doesn t mean it is immune to this attack.

Before delving into the specifics of testing, this chapter takes a quick look at what format strings are, how they operate relative to the stack, and how they are used. For a complete discussion of what format strings are, please refer to the appropriate programming language documentation.

More Info  

Information about C format string specifiers is also available on the Microsoft Web site at http://msdn.microsoft.com/library/en-us/vclib/html/_crt_Format_Specification_Fields_.2d_.printf_and_wprintf_Functions.asp .

What are Format Strings?

Consider the basic case of needing to display the text AAAA to the user of a computer program with standard C library routines, such as the printf( AAAA ) function, which outputs data to the console window ”the application handles it fine and the user sees AAAA with no problem. It turns out the first parameter can specify format specifiers. These format specifiers change how the output looks. For example, consider the following code:

 printf("I ate %d cheeseburgers.",2); 

In this case, %d is the format specifier for an integer data type. The preceding code replaces %d with the number 2 and produces the following output:

 I ate 2 cheeseburgers. 

How did that work? To call printf , you first place the number 2 on the stack, and then follow it with a pointer to the string I ate %d cheeseburgers. In this case, printf takes the value 2 and replaces the %d with 2 to format the output.

There is also a %s format string specifier. This specifier causes printf to replace the %s with the contents of a null- terminated string buffer rather than just the number. For example,

 printf("%s ate %d cheeseburgers.", "Chris Gallagher", 1000); 

would result in the following:

 Chris Gallagher ate 1000 cheeseburgers. 

That seems harmless enough at first glance, but there is more to the story.

More Info  

The printf function is not the only function that uses format string specifiers. Table 9-1, included in the section titled Reviewing Code later in this chapter, lists some of the functions that use format string specifiers. In addition to writing to the program s output ( printf ), these functions are commonly used to format data to be stored in a file ( fprintf ), to store data in a buffer ( sprintf ), and to format user-supplied input ( scanf ).

Table 9-1: Functions That Use Format String Specifiers

_cprintf

_sntprintf

_vsntprintf

sscanf

_cscanf

_sntscanf

_vsnwprintf

swscanf

_cwprintf

_snwprintf

_vstprintf

vfprintf

_cwscanf

_snwscanf

_vtprintf

vfwprintf

_ftscanf

_stscanf

fprintf

vprintf

_scprintf

_tcprintf

fscanf

vsprintf

_sctprintf

_tprintf

fwprintf

vswprintf

_scwprintf

_tscanf

fwscanf

vwprintf

_snprintf

_vftprintf

printf

wprintf

_snscanf

_vsnprintf

scanf

wscanf



Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net