Download presentation
Presentation is loading. Please wait.
1
CSC 482/582: Computer Security
Format String Vulnerabilities CSC 482/582: Computer Security
2
Variadic Functions Functions with a variable number of arguments.
Use <stdarg.h> in standard C. Supported by most languages in some way. Defining the interface Mem location where variadic arguments begin. Size of arguments (int, double, etc.) Method for communicating count of arguments. Repeat to find all arguments Increment pointer by argument size. Get data. CSC 482/582: Computer Security
3
Variadic Functions in C
#include <stdarg.h> double average(int count, ...) { va_list ap; int j; double sum = 0; va_start(ap, count); /* Last fixed param gives address */ for (j = 0; j < count; j++) { sum += va_arg(ap, double); /* Incr ap to next arg */ } va_end(ap); return sum / count; CSC 482/582: Computer Security
4
Format Strings Convert basic data types to output strings
Percent(%) symbols in string indicate substitutions. %[flags][width][.precision][length][type] Example format strings and resulting output printf(“%010d”, 2009) printf(“%4.2f”, ) 3.14 Example functions printf(), fprintf(), sprintf(), etc. scanf(), fscanf(), etc. syslog() CSC 482/582: Computer Security
5
Format String Types Type Meaning Passed As %d
Integer as a signed decimal number. Value %u Unsigned integer as decimal number. %f Double in fixed point notation. %x Unsigned integer as hexadecimal number. %s Null-terminated string. Ref %n Write number of characters successfully written so far into an integer pointer. CSC 482/582: Computer Security
6
printf() information leaks
User-specified format strings userstring = “foo %x”; printf(userstring); Where can it find arguments to replace %x? The Stack: %x reads 4-bytes higher in stack Could be another local variable from this function or a previously called one. Solution: printf(“%s”, userstring) or fputs(userstring) CSC 482/582: Computer Security
7
printf() buffer overflows
Overflow example char buf[256]; sprintf(buf,“The data is %s\n”, userstr); C90 solution sprintf(buf,“The data is .32%s\n”,userstr); C99 solution snprintf(buf, 255, “The data is %s\n”, userstr); CSC 482/582: Computer Security
8
%n format command Number of characters written so far is stored into the integer indicated by the int * pointer argument. char buf[] = " "; int *n; printf(“buf=%s%n\n", buf, n); printf("n=%d\n", *n); Output: buf= n=14 CSC 482/582: Computer Security
9
%n format attack Plan of Attack Use %n to write anywhere in memory
Find address of variable to overwrite Place address of variable on stack (as part of format string) so %n will write to that address Write # of characters equal to value to insert into variable (use precision, e.g., %.64x) Use %n to write anywhere in memory Address on stack can point to any location CSC 482/582: Computer Security
10
Securing Formatted Output
Exclude user input from format strings. Limit length of formatted output with length specifies or by using snprint(). Compiler checks gcc provides –Wformat-security option, which will warn about potential formatted output security issues. CSC 482/582: Computer Security
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.