FACTOID # 115: American planes take-off a staggering 8.5 million times per year - almost half the number of take-offs worldwide.
 
 Home   Encyclopedia   Statistics   Countries A-Z   Flags   Maps   Education   Forum   FAQ   About 
 
WHAT'S NEW
RECENT ARTICLES
More Recent Articles »
 

FACTS & STATISTICS    Simple view

  1. Select countries to view: (hold down Control key and click to select several)

     

     

    Compare:

     

     
  1. Select fact or statistic: (* = graphable)

     

     

     

  2. (OPTIONAL) Compare to statistic: (both need to be graphable)

     

     

     

  3. View result as:

     

       
(OR) SEARCH ALL encyclopedia, stats & forums:   

Encyclopedia > Format string attacks

Format string attacks are a new class of vulnerabilities discovered in June of 2000 previously thought harmless. Format string attacks can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write back the number of bytes formatted to the same argument to printf(), assuming that the corresponding argument exists, and is of type int * .


This is a common vulnerability due to the fact that format bugs were previously thought harmless and resulted in vulnerabilites in many common tools. MITRE's CVE project (http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string) list roughly 150 vulnerable programs.


Format string bugs most commonly appear when a programmer wishes to print a string containing user supplied data. The programmer may mistakenly write printf(buffer) instead of printf("%s", buffer). The first version interprets buffer as a format string, and parses any formatting instructions it may contain. The second version simply prints a string to the screen, as the programmer intended.


Format bugs arise because C's argument passing conventions are type-unsafe. In particular, the varargs mechanism allows functions to accept any number of arguments (e.g. printf) by "popping" as many arguments off the call stack as they wish, trusting the early arguments to indicate how many additional arguments are to be popped, and of what types.


See also

  • fprintf
  • sprintf
  • snprintf
  • syslog

References

  • Tobias Klein: Buffer Overflows und Format-String-Schwachstellen, Dpunkt Verlag, ISBN 3-89864-192-9

External links

  • Exploiting Format String Vulnerabilities (http://teso.scene.at/articles/formatstring/)
  • Excellent Paper on Exploiting Format String Bugs (http://www.securityfocus.com/archive/1/70552)
  • Analysis of Format Strings Bugs (http://www.securityfocus.com/data/library/format-bug-analysis.pdf)
  • Hacker Emergency Response Team - Exploiting Format Strings (http://www.hert.org/papers/format.html)

  Results from FactBites:
 
Foundations: What Are Buffer Overflows? Security Basics | WatchGuard Technologies, Inc. (1743 words)
That is the essence of a buffer overflow attack.
Formatting means to take some data and prepare it for display or printing, but the formatting instructions are so flexible that some attackers have found ways of using formatting to write to memory.
Format string attacks usually add a single address in memory that points to another address in memory where the attacker has added new instructions to execute.
  More results at FactBites »


 

COMMENTARY     


Share your thoughts, questions and commentary here
Your name
Your comments
Please enter the 5-letter protection code

Want to know more?
Search encyclopedia, statistics and forums:
 


Lesson Plans | Student Area | Student FAQ | Reviews | Press Releases |  Feeds | Contact
The Wikipedia article included on this page is licensed under the GFDL.
Images may be subject to relevant owners' copyright.
All other elements are (c) copyright NationMaster.com 2003-5. All Rights Reserved.
Usage implies agreement with terms.