C Secure Coding: Format String Vulnerability Igor Sobinov 2018 28.03.2019

Agenda Vulnerability definition Types of format vulnerability Vulnerability Examples Mitigations

Format String Vulnerability: Overview Format string vulnerability class was discovered in 2001 Format string vulnerabilities are a class of vulnerabilities that take advantage of an easily avoidable programmer error. If the programmer passes an attacker-controlled buffer as an argument to a printf* function, the attacker can perform read and writes access to arbitrary memory addresses.

Format String Vulnerability: Overview Format string vulnerability denial of service attacks are characterized by utilizing multiple instances of the “%s” format specifier to read data off of the stack until the program attempts to read data from an illegal address, which will cause the program to crash. Format string vulnerability reading attacks typically utilize the %x format specifier to print sections of memory or stack that we do not normally have access to. Format string vulnerability writing attacks utilize the %d, %u or %x format specifiers to overwrite the Instruction Pointer and force execution of user-supplied shell code.

Format String Vulnerability: Statistics

Format String Vulnerability: Statistics

Format String Vulnerability: Definition  A format string is a way of telling the C compiler how it should format numbers and other values when it prints them or store to the buffer. It is a ASCII string used to specify and control the representation of different variables. In the C programming language there are a number of functions which accept a format string as an argument: fprintf, printf, sprintf, snprintf, vfprintf, vprintf, vsprintf, vsnprintf. OS specific: syslog, setproctitle etc.

Format String Vulnerability: Definition They called variadic functions: accept variable number of arguments. Arguments are expected to be placed on the stack. Function prototype: int printf(const char *format, ...); printf (“The area code is: %d”, 505);

Format String Vulnerability: Format specifiers Format Conversion specifiers: %d The int argument is converted to signed decimal notation %s The const char * argument is expected to be a pointer to an array of character type %x The unsigned int argument is converted to unsigned hexadecimal (x and X) %p The void * pointer argument is printed in hexadecimal (as if by %#x or %#lx) %100x Writes 100 spaces to the output before variable %n The number of characters written so far is stored into the integer pointed to by the corresponding argument. %2$x Ignore the first parameter and prints the second parameter from the argument list

С++ Secure Coding: Program Stack Format string vulnerability is very close to the buffer overflow vulnerability. The stack itself can be viewed as a kind of buffer The size of that buffer is determined by the number and size of the arguments passed to a function Providing a incorrect format string thus induces the program to overflow that “buffer”

С++ Secure Coding: sprintf sprintf is particularly interesting from a security standpoint because it "prints" formatted data to a buffer. Aside from the possibility of a format-string vulnerability, using this particular function can lead to buffer overflow vulnerabilities and should usually be replaced with its length-checking cousin snprintf.

Format String Vulnerability: Examples Format Conversion advantages: printf(“%1000x”, l); //Space padding is 1000 symbols printf(“%2$x”, 1, 2, 3); //Direct parameter access. Issues on gcc “invalid %N$ use detected” 2 printf(“%200$x”) printf(“%n”, &some_variable); //Writes four bytes printf(“%hn”, &some_variable); //Writes two bytes printf(“%100x%2$hn”, 0, &some_variable); //Writes 100 to 2 bytes to “some_variable”

Format String Vulnerability: Examples printf(“%s”): prints bytes pointed to by that stack entry :(�� printf(“%d %d %d %d”): prints a series of stack entries as integers -735270568 0 4195808 1871788256 printf(“%08x %08x %08x %08x”): same but nicely formatted hex 27e37e68 00000000 004005e0 dadd58e0 printf(“100% dave”): prints stack entry 4 bytes above the saved %eip because format ignores spaces between “%d” and “d” 100-1973053272ave printf(“100% no way!”): writes the number 3 to address pointed to by stack entry. %n ignores all spaces between “%” and “n” 100o way!

Format String Vulnerability: Attacks Crashing the program: printf ("%s%s%s%s%s%s%s%s%s%s%s%s"); Viewing the stack: printf ("%08x %08x %08x %08x %08x\n"); Viewing memory at any location Writing an integer to nearly any location in the process memory

Format String Vulnerability: Program Stack Types of programs memory: Text: This is where the code for the program is. Initialized data: This is where global variables that have been declared and given a value are stored. Uninitialized data/BSS: This is where global variables that have been declared but not given a value are stored. Stack: The stack keeps track of the program execution and stores local variables. We'll talk about the stack more soon. Heap: The heap is where dynamic memory allocation takes place. A programmer can utilize the heap to store variables which are only needed for a short period of time and so can be removed from memory later to optimize the program.

Format String Vulnerability: Program Stack Stack keeps track of what function is being executed and the local variables that are defined within that function. When a function is called, a data structure called a stack frame is created. Each function has its own stack frame which contains local variables for that function, parameters passed to the function when it was called, return address which specifies what instruction the program should execute next once the function is done. The ESP register stores current stack pointer

Format String Vulnerability: Program Stack (x86) Stack Grows Memory Addresses

Format String Vulnerability: Program Stack Layout Stack Grows

Format String Vulnerability: Program Stack Layout Stack Grows

С++ Secure Coding: Program Stack void test (void* addr, char* fmt) { int local_var = 0; printf(fmt); } fmt addr return address saved ebp local_var fmt_string return address

С++ Secure Coding: The exploit addr = 0x41414141; fmt = “%p %p %p %p %p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } arg6 arg5 arg4 arg3 arg2 fmt_string return address

С++ Secure Coding: Program Stack addr = 0x41414141; fmt = “%p %p %p %p %p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “0x0, 0xfffca010 0x8040a10 0x41414141 0xfffeafa0” fmt addr return address saved ebp local fmt_string return address

С++ Secure Coding: Program Stack addr = 0x41414141; fmt = “%4$p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “0x41414141” fmt addr return address saved ebp local fmt_string return address

С++ Secure Coding: Program Stack addr = 0x41414141; fmt = “%0100x%4$p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “<…100 0..>0x41414141” fmt addr return address saved ebp local fmt_string return address

С++ Secure Coding: Program Stack addr = 0x41414141; fmt = “%0100x%4$n” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “<…100 0..> write 100 to addr” written 100 to 0x41414141 fmt addr return address saved ebp local fmt_string return address

Format String Vulnerability: Sudo format string vunerability Feb 2012: “sudo format string vulnerability” CVE-2012-0809 allows to get root shell for any logged in user. Most of Linux distributives were affected: Fedora, Ubuntu, Debian, etc. It looks like sudo creators didn’t use or ignore GCC format-related compilation flags or warnings. Top level projects that were affected to format string vulnerability: Axiom mail server, Pigeon instant messenger, CUPS (Common Unix Printing System)

Format String Vulnerability: sudo format string vulnerability void sudo_debug(int level, const char *fmt, ...) { va_list ap; char *fmt2; if (level > debug_level) return; /* Backet fmt with program name and a newline to make it a single write */ easprintf(&fmt2, "%s: %s\n", getprogname(), fmt); va_start(ap, fmt); vfprintf(stderr, fmt2, ap); va_end(ap); efree(fmt2); } Here getprogname() is argv[0] and by this user controlled. So argv[0] goes to fmt2 which then gets vfprintf()-ed to stderr. The result is a Format String vulnerability. Exploit.

Format String Vulnerability: Demo “Dead beef” #include <stdio.h> int num1 = 0xdead; int main(int argc, char **argv){ int num2 = 0xbeef; int *ptr = &num1; printf(argv[1]); if (0xabc == num1){ printf(“Global done"); } if(0xdef == num2) printf(“Local done"); printf("\n num1: 0x%x [%p] num2: 0x%x [%p]\n", num1, &num1, num2, &num2); return 0;

Format String Vulnerability: Mitigations The good thing about format-string vulnerabilities is that they are relatively easy to find in a source-code audit. Always specify a format string as part of program, not as an input. Most format string vulnerabilities are solved by specifying “%s” as format string and not using the data string as format string. Number of arguments should be the same as number of format specifiers. -fstack-protector (alloca and buffers > 8 bytes) -fstack-protector-all FormatGuard: Automatic Protection From printf Format String Vulnerabilities

Format String Vulnerability: Mitigations Address randomization: just like the countermeasures used to protect against buffer-overflow attacks, address randomization makes it difficult for the attackers to find out what address they want to read/write. # cat /proc/sys/kernel/randomize_va_space 2 # sysctl -a --pattern randomize kernel.randomize_va_space = 2 0 = Disabled 1 = Conservative Randomization 2 = Full Randomization To support ASLR an application should be build against “Position Independent Executable” (PIE) support. GCC “-fPIE” option is used for it

Format String Vulnerability: _FORTIFY_SOURCE _FORTIFY_SOURCE is a kind of GCC feature test macro (man 7 feature_test_macros) gcc -D_FORTIFY_SOURCE=1 adds checks at compile-time only (some headers are necessary as #include <string.h>) gcc -D_FORTIFY_SOURCE=2 also adds additional checks at run-time (detected buffer overflow terminates the program)

Format String Vulnerability: _FORTIFY_SOURCE *** %n in writable segment detected *** Aborted On x86, use of "%n" in a format string is limited to read-only memory (not stack or heap allocated strings). *** invalid %N$ use detected *** Aborted (core dumped) Format string positional values are being skipped, which means their type (and size on the stack) cannot be checked. This could cause unexpected results including stack content leaks, especially when using %n. This is invalid, for example: printf("%2$s\n", 0, "Test"); because position 1 is skipped.

Format String Vulnerability: Mitigations VC: Possible to use VC SAL annotation “_Printf_format_string_” tell compiler to validate the format string: #define FORMAT_STRING(p) _Printf_format_string_ p extern void log_error(FORMAT_STRING(const char* format), ...); GCC: __attribute__(__format__)  format (archetype, string-index, first-to-check) extern int my_printf (void *my_object, const char *my_format, ...) __attribute__ ((format (printf, 2, 3)));

Format String Vulnerability: Format security -Wformat: Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified, and that the conversions specified in the format string make sense. -Wformat-security: If -Wformat is specified warns about calls to printf and scanf functions where the format string is not a string literal and there are no format arguments, as in printf (foo) -Wformat-nonliteral:If -Wformat is specified, also warn if the format string is not a string literal and so cannot be checked

Format String Vulnerability: Format security Enables compile-time warnings about misuse of format strings, some of which can have security implications. Failure examples: warning: format ‘%s’ expects type ‘char *’, but argument 3 has type ‘int’ For packages that aren't already building with -Wall, format character to argument types will be checked. Verify the correct variables for a given format string.

Format String Vulnerability: Format security warning: format not a string literal and no format arguments This is caused by code that forgot to use "%s" for a *printf function. For example: fprintf(stderr,buf); should be: fprintf(stderr,"%s",buf); Disabled with -Wno-format-security or -Wformat=0 in CPPFLAGS.

Format String Vulnerability: Automation code scan RATS, the Rough Auditing Tool for Security  is a free source-code scanner Flawfinder: Open source scanner that examines C/C++ source code and reports possible security weaknesses Veracode: commercial code scanner

Security Design Principles Appendix

Hacking: The Art of Exploitation References Hacking: The Art of Exploitation

Security Design Principles Q&A