In: Computer Science
How format string vulnerabilities can be exploited for buffer overflow attacks?
Answer::
Buffer overflow attacks are considered to be the most insidious attacks in Information Security.Due to buffer flow attack the attacker could execute your code. Buffer overflow attacks are analogous to the problem of water in a bucket. For example, when more water is added than a bucket can hold, water overflows and spills.
Due to this, we can lost our data and it could leads to inefficient user application with so many flaws.
The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application.In this way the attacker could read ,execute or cause a memory fault in memory while running application.
The attack can be executed if the application doesn't properly validate the input.Suppose you are passing a format parameter %s to a format function,and the conversion specified in the parameters is executed.But if format function want more arguments and if you not supplied then attacker could able read stack or execute stack.
So stop attacker being execute or read stack you have to pass well-crafted input to the format function in the form of format string.
Attackers will usually look out for functions such as:
All these functions are used for moving data between memory locations and are usually mishandled by the developer.
Below are some format parameters which can be used and their consequences:
•”%x” Read data from the stack
•”%s” Read character strings from the process’ memory
•”%n” Write an integer to locations in the process’ memory
Example of vulnerability:
Suppose if you want to print username using printf() function and if you use printf(username) the this kind of statement vulnerable to the attacker and he could execute or read the stack.
Example::
#include <stdio.h>
void main(int argc, char **argv)
{
// This line is safe
printf("%s\n", argv[1]);
// This line is vulnerable
printf(argv[1]);
}
Explaination::
Safe Code
The line printf("%s", argv[1]);
in the example is
safe, if you compile the program and run it:
"Say hii! %s%s%s%s"
The printf
in the first line will not interpret the
“%s%s%s%s” in the input string, and the output will be: “Say hii!
%s%s%s%s”
Vulnerable Code
The line printf(argv[1]);
in the example is
vulnerable, if you compile the program and run it:
./example "Hello World %s%s%s%s%s%s"
The printf
in the second line will interpret the
%s%s%s%s%s%s
in the input string as a reference to
string pointers, so it will try to interpret every %s as a pointer
to a string, starting from the location of the buffer (probably on
the Stack). At some point, it will get to an invalid address, and
attempting to access it will cause the program to crash.