Format String Bug Introduction
Summary
This document gives an introduction into format string bugs. The Format String Bug occurs when the programmer passes user controlled buffer to the Format Function. Then user input data is evaluated as a command by the application. An exploit can read from the stack and perform arbitrary write on the stack and therefore change the program behavior. This can lead to program crashes (segmentation faults) and security compromise such as reveal of secrets in memory (information disclosure) or execute arbitrary commands.
Requirements
Binaries are tested on platform: Debian 4.9.210-1 (2020-01-20)
git clone https://git.fh-campuswien.ac.at/CampusCyberSecurityTeam/ccst cd ccst/format_string
All here discussed code examples can be found in the example folder. They are compiled in 32 bit architecture x86 using gcc version 6.3.0 (posix).
gcc example -m32 -o example
Exploits for x64 architecture may differ
Description of Format String Vulnerability
The Bold textFormat function in ANSI C conversion function such as `printf`, which converts a variable into a human-readable string representation. The Format String is the argument of the Format Function, it contains an ASCII string with text and Format Parameter, such as:
printf (“Guess solution: %d\n”, 42);
Here 42 is interpreted as a decimal number by the Format Function.
The Format Parameter/Specifier %d,%s,%p,%u,..
defines the type of conversion function.
Format Parameter/Specifier Table
Parameters | Output | Passed as |
---|---|---|
%p | External representation of a pointer to void | Reference |
%d | Decimal | Value |
%c | Character | Value |
%u | Unsigned decimal | Value |
%x | Hexadecimal | Value |
%s | String | Reference |
%n | Writes the number of characters into a pointer | Reference |
In vulnerable code the user input is directly passed to the function printf(userinput)
instead of a Format String including Format Parameter.
Vulnerable Format Functions Table
Format function | Description |
---|---|
fprint | Writes the printf to a file |
printf | Output a formatted string |
sprintf | Prints into a string |
snprintf | Prints into a string checking the length |
vfprintf | Prints the a va_arg structure to a file |
vprintf | Prints the va_arg structure to stdout |
vsprintf | Prints the va_arg to a string |
vsnprintf | Prints the va_arg to a string checking the length |
History
The Format String Bug is publicly known since at least September 1999[1], it has obtained major attention after public release of the exploit code anainst wu-ftpd 2.6.0 in June 2000[2].
Example - Read from the stack
Shows safe and vulnerable usage of Format Function
#include <stdio.h> void main(int argc, char **argv) { // This line is safe printf("%s\n", argv[1]); // This line is vulnerable printf(argv[1]); }
Execute with different arguments:
./example "%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p" ./example "%08x.%08x.%08x.%08x.%08x%08x.%08x.%08x.%08x.%08x" ./example "%s"
The Format Function interprets the passed command line arguments as formatted string with 15 pointer arguments. As a further specification is missing it will print the next 15 pointer from the stack, which means we are able to dump the stack.
What happens exactly?
- Stack with correctly coded Format String
printf(“this is a %s, with a number %d, and address %08x”,a,b,&c);
The stack grows to the lower addresses and is used in a LIFO manner, the arguments are pushed in reverse order on the stack. The Format Function will pop a, b, c variables and convert them into the string which is sent to stdout.
[[File:Safe.png|Cite error: Closing </ref>
missing for <ref>
tag
[3]
[1]
[2]
[4]
[5]
</references>
- ↑ 1.0 1.1 Tymm Twillman,Exploit for proftpd 1.2.0pre6, BugTraq, 20-09-1999, https://seclists.org/bugtraq/1999/Sep/328 [accessed 05-21-2020].
- ↑ 2.0 2.1 tf8, WuFTPD: Providing *remote* root since at least 1994, BugTraq, 22-06-2000, https://seclists.org/bugtraq/2000/Jun/297 [accessed 05-21-2020].
- ↑ Saif El Sherei, Format String Exploitation-Tutorial, https://www.exploit-db.com/docs/english/28476-linux-format-string-exploitation.pdf[accessed 05-21-2020].
- ↑ Michael Howard, David LeBlanc and John Viega, 19 deadly sins of software security programming flaws and how to fix them, Chapter 2, 2005 http://repository.root-me.org/Exploitation%20-%20Syst%C3%A8me/Unix/EN%20-%20Format%20String%20Problems.pdf, [accessed 05-22-2020].
- ↑ Crispin Cowan , Matt Barringer , Steve Beattie , Greg Kroah-hartman , Mike Frantzen and Jamie Lokier, FormatGuard: Automatic Protection From printf Format String Vulnerabilities, Usenix, 2001 https://www.usenix.org/legacy/events/sec01/full_papers/cowanbarringer/cowanbarringer.pdf [accessed 05-21-2020].