Difference between revisions of "Format String Bug Introduction"
Line 104: | Line 104: | ||
The stack grows to the lower addresses and is used in a LIFO manner, the arguments are pushed in reverse order on the stack. The Format Function will pop a, b, c variables and convert them into the string which is sent to stdout. | The stack grows to the lower addresses and is used in a LIFO manner, the arguments are pushed in reverse order on the stack. The Format Function will pop a, b, c variables and convert them into the string which is sent to stdout. | ||
[[File:Safe.png]] | [[File:Safe.png|<ref name="exptut">]] | ||
* '''Stack with missing variables''' | * '''Stack with missing variables''' | ||
Line 111: | Line 111: | ||
The variables a,b,&c are missing on the stack. | The variables a,b,&c are missing on the stack. | ||
[[File:Vulnstack.png]] | [[File:Vulnstack.png| <ref name="exptut"\>]] | ||
The Format Function pops the next values from the stack even when they have not been declared. | The Format Function pops the next values from the stack even when they have not been declared. | ||
Line 217: | Line 217: | ||
In step 0 foo is initialized with 4 times `\x00` bytes and in the next variable on the stack a canary is stored with 'AAAA' presented by `\x41\x41\x41\x41`. After the execution of the 4 steps bytewise write operation foo contains 10204080 as expected, but 3 bytes of the canary got overwritten `\x00\x00\x00\x41`= 00000041.. Figure 1 illustrates the behavior of the write procedures. | In step 0 foo is initialized with 4 times `\x00` bytes and in the next variable on the stack a canary is stored with 'AAAA' presented by `\x41\x41\x41\x41`. After the execution of the 4 steps bytewise write operation foo contains 10204080 as expected, but 3 bytes of the canary got overwritten `\x00\x00\x00\x41`= 00000041.. Figure 1 illustrates the behavior of the write procedures. | ||
[[File:Write.png|Source:<ref name="expfor"\>]] | |||
Multiple byte writes at once can also be performed, when the written bytes are ordered. | Multiple byte writes at once can also be performed, when the written bytes are ordered. | ||
File: example4 | File: example4 | ||
Line 281: | Line 280: | ||
== References== | == References== | ||
<references> | <references> | ||
<ref name="expfor">scut / team teso, ''Exploiting Format String Vulnerabilities'', version 1.2,09-01-b2001, http://repository.root-me.org/Exploitation%20-%20Syst%C3%A8me/Unix/EN%20-%20Format%20Bugs%20-%20Exploiting%20format%20string.pdf[accessed 05-21-2020]</ref> | |||
<ref name="exptut">Saif El Sherei, ''Format String Exploitation-Tutorial'', https://www.exploit-db.com/docs/english/28476-linux-format-string-exploitation.pdf[accessed 05-21-2020].</ref> | |||
<ref name="proftpd">Tymm Twillman,''Exploit for proftpd 1.2.0pre6'', BugTraq, 20-09-1999, https://seclists.org/bugtraq/1999/Sep/328 [accessed 05-21-2020].</ref> | <ref name="proftpd">Tymm Twillman,''Exploit for proftpd 1.2.0pre6'', BugTraq, 20-09-1999, https://seclists.org/bugtraq/1999/Sep/328 [accessed 05-21-2020].</ref> | ||
<ref name="wuftpd"> tf8, ''WuFTPD: Providing *remote* root since at least 1994'', BugTraq, 22-06-2000, https://seclists.org/bugtraq/2000/Jun/297 [accessed 05-21-2020].</ref> | <ref name="wuftpd"> tf8, ''WuFTPD: Providing *remote* root since at least 1994'', BugTraq, 22-06-2000, https://seclists.org/bugtraq/2000/Jun/297 [accessed 05-21-2020].</ref> |
Revision as of 12:22, 19 May 2020
Summary
This document gives an introduction into format string bugs. The Format String Bug occurs when the programmer passes user controlled buffer to the Format Function. Then user input data is evaluated as a command by the application. An exploit can read from the stack and perform arbitrary write on the stack and therefore change the program behavior. This can lead to program crashes (segmentation faults) and security compromise such as reveal of secrets in memory (information disclosure) or execute arbitrary commands.
Requirements
Binaries are tested on platform: Debian 4.9.210-1 (2020-01-20)
git clone https://git.fh-campuswien.ac.at/CampusCyberSecurityTeam/ccst cd ccst/format_string
All here discussed code examples can be found in the example folder. They are compiled in 32 bit architecture x86 using gcc version 6.3.0 (posix).
gcc example -m32 -o example
Exploits for x64 architecture may differ
Description of Format String Vulnerability
The Bold textFormat function in ANSI C conversion function such as `printf`, which converts a variable into a human-readable string representation. The Format String is the argument of the Format Function, it contains an ASCII string with text and Format Parameter, such as:
printf (“Guess solution: %d\n”, 42);
Here 42 is interpreted as a decimal number by the Format Function.
The Format Parameter/Specifier %d,%s,%p,%u,..
defines the type of conversion function.
Format Parameter/Specifier Table
Parameters | Output | Passed as |
---|---|---|
%p | External representation of a pointer to void | Reference |
%d | Decimal | Value |
%c | Character | Value |
%u | Unsigned decimal | Value |
%x | Hexadecimal | Value |
%s | String | Reference |
%n | Writes the number of characters into a pointer | Reference |
In vulnerable code the user input is directly passed to the function printf(userinput)
instead of a Format String including Format Parameter.
Vulnerable Format Functions Table
Format function | Description |
---|---|
fprint | Writes the printf to a file |
printf | Output a formatted string |
sprintf | Prints into a string |
snprintf | Prints into a string checking the length |
vfprintf | Prints the a va_arg structure to a file |
vprintf | Prints the va_arg structure to stdout |
vsprintf | Prints the va_arg to a string |
vsnprintf | Prints the va_arg to a string checking the length |
History
The Format String Bug is publicly known since at least September 1999[1], it has obtained major attention after public release of the exploit code anainst wu-ftpd 2.6.0 in June 2000[2].
Example - Read from the stack
Shows safe and vulnerable usage of Format Function
#include <stdio.h> void main(int argc, char **argv) { // This line is safe printf("%s\n", argv[1]); // This line is vulnerable printf(argv[1]); }
Execute with different arguments:
./example "%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p" ./example "%08x.%08x.%08x.%08x.%08x%08x.%08x.%08x.%08x.%08x" ./example "%s"
The Format Function interprets the passed command line arguments as formatted string with 15 pointer arguments. As a further specification is missing it will print the next 15 pointer from the stack, which means we are able to dump the stack.
What happens exactly?
- Stack with correctly coded Format String
printf(“this is a %s, with a number %d, and address %08x”,a,b,&c);
The stack grows to the lower addresses and is used in a LIFO manner, the arguments are pushed in reverse order on the stack. The Format Function will pop a, b, c variables and convert them into the string which is sent to stdout.
[[File:Safe.png|Cite error: Closing </ref>
missing for <ref>
tag
[3]
[1]
[2]
[4]
[5]
</references>
- ↑ 1.0 1.1 Tymm Twillman,Exploit for proftpd 1.2.0pre6, BugTraq, 20-09-1999, https://seclists.org/bugtraq/1999/Sep/328 [accessed 05-21-2020].
- ↑ 2.0 2.1 tf8, WuFTPD: Providing *remote* root since at least 1994, BugTraq, 22-06-2000, https://seclists.org/bugtraq/2000/Jun/297 [accessed 05-21-2020].
- ↑ Saif El Sherei, Format String Exploitation-Tutorial, https://www.exploit-db.com/docs/english/28476-linux-format-string-exploitation.pdf[accessed 05-21-2020].
- ↑ Michael Howard, David LeBlanc and John Viega, 19 deadly sins of software security programming flaws and how to fix them, Chapter 2, 2005 http://repository.root-me.org/Exploitation%20-%20Syst%C3%A8me/Unix/EN%20-%20Format%20String%20Problems.pdf, [accessed 05-22-2020].
- ↑ Crispin Cowan , Matt Barringer , Steve Beattie , Greg Kroah-hartman , Mike Frantzen and Jamie Lokier, FormatGuard: Automatic Protection From printf Format String Vulnerabilities, Usenix, 2001 https://www.usenix.org/legacy/events/sec01/full_papers/cowanbarringer/cowanbarringer.pdf [accessed 05-21-2020].