Question

How format string vulnerabilities can be exploited for buffer overflow attacks?

Answer 1

Answer::

Buffer overflow attacks are considered to be the most insidious attacks in Information Security.Due to buffer flow attack the attacker could execute your code. Buffer overflow attacks are analogous to the problem of water in a bucket. For example, when more water is added than a bucket can hold, water overflows and spills.

Due to this, we can lost our data and it could leads to inefficient user application with so many flaws.

The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application.In this way the attacker could read ,execute or cause a memory fault in memory while running application.

• Components of format string

1. The Format Function is an ANSI C conversion function, like printf, fprintf, which converts a primitive variable of the programming language into a human-readable string representation.
2. The Format String is the argument of the Format Function and is an ASCII Z string which contains text and format parameters, like: printf (“The magic number is: %d\n”, 2020);
3. The Format String Parameter, like %x %s,%n defines the type of conversion of the format function.

The attack can be executed if the application doesn't properly validate the input.Suppose you are passing a format parameter %s  to a format function,and the conversion specified in the parameters is executed.But if format function want more arguments and if you not supplied then attacker could able read stack or execute stack.

So stop attacker being execute or read stack you have to pass well-crafted input to the format function in the form of format string.

Attackers will usually look out for functions such as:

1. strcpy
2. strncpy
3. strcat
4. sprint
5. scanf
6. fgets
7. gets
8. getws
9. memcpy
10. memmove

All these functions are used for moving data between memory locations and are usually mishandled by the developer.

Below are some format parameters which can be used and their consequences:

•”%x” Read data from the stack

•”%s” Read character strings from the process’ memory

•”%n” Write an integer to locations in the process’ memory

Example of vulnerability:

Suppose if you want to print username using printf() function and if you use printf(username) the this kind of statement vulnerable to the attacker and he could execute or read the stack.

Example::

#include  <stdio.h> 
void main(int argc, char **argv)
{
        // This line is safe
        printf("%s\n", argv[1]);

        // This line is vulnerable
        printf(argv[1]);
}

Explaination::

Safe Code

The line printf("%s", argv[1]); in the example is safe, if you compile the program and run it:

"Say hii! %s%s%s%s"

The printf in the first line will not interpret the “%s%s%s%s” in the input string, and the output will be: “Say hii! %s%s%s%s”

Vulnerable Code

The line printf(argv[1]); in the example is vulnerable, if you compile the program and run it:

./example "Hello World %s%s%s%s%s%s"

The printf in the second line will interpret the %s%s%s%s%s%s in the input string as a reference to string pointers, so it will try to interpret every %s as a pointer to a string, starting from the location of the buffer (probably on the Stack). At some point, it will get to an invalid address, and attempting to access it will cause the program to crash.