Format string attack
Format string attacks are a new class of vulnerabilities discovered in June of 2000 by Przemysław Frasunek and tf8, previously thought to be harmless. The first exploit which used the new technique allowed an attacker to gain remote root privileges on wu-ftpd 2.6.0. Format string attacks can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as
printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands
printf() and similar functions to write back the number of bytes formatted to an argument of type int *. By manipulating the stack by using spurious format tokens, this argument can be faked as part of the format string.
This is a common vulnerability due to the fact that format bugs were previously thought harmless and resulted in vulnerabilites in many common tools. MITRE's CVE project list roughly 150 vulnerable programs.
Format string bugs most commonly appear when a programmer wishes to print a string containing user supplied data. The programmer may mistakenly write
printf(buffer) instead of
printf("%s", buffer). The first version interprets
buffer as a format string, and parses any formatting instructions it may contain. The second version simply prints a string to the screen, as the programmer intended.
Format bugs arise because C's argument passing conventions are type-unsafe. In particular, the
varargs mechanism allows functions to accept any number of arguments (e.g.
printf) by "popping" as many arguments off the call stack as they wish, trusting the early arguments to indicate how many additional arguments are to be popped, and of what types.