type of software vulnerability
Uncontrolled format string is a type of code injection vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a … Wikipedia
🌐
Wikipedia
en.wikipedia.org › wiki › Uncontrolled_format_string
Uncontrolled format string - Wikipedia
December 21, 2025 - Uncontrolled format string is a type of code injection vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user ...
Top answer
1 of 6
98

You may be able to exploit a format string vulnerability in many ways, directly or indirectly. Let's use the following as an example (assuming no relevant OS protections, which is very rare anyways):

int main(int argc, char **argv)
{
    char text[1024];
    static int some_value = -72;

    strcpy(text, argv[1]); /* ignore the buffer overflow here */

    printf("This is how you print correctly:\n");
    printf("%s", text);
    printf("This is how not to print:\n");
    printf(text);

    printf("some_value @ 0x%08x = %d [0x%08x]", &some_value, some_value, some_value);
    return(0);
}

The basis of this vulnerability is the behaviour of functions with variable arguments. A function which implements handling of a variable number of parameters has to read them from the stack, essentially. If we specify a format string that will make printf() expect two integers on the stack, and we provide only one parameter, the second one will have to be something else on the stack. By extension, and if we have control over the format string, we can have the two most fundamental primitives:


Reading from arbitrary memory addresses

[EDIT] IMPORTANT: I'm making some assumptions about the stack frame layout here. You can ignore them if you understand the basic premise behind the vulnerability, and they vary across OS, platform, program and configuration anyways.

It's possible to use the %s format parameter to read data. You can read the data of the original format string in printf(text), hence you can use it to read anything off the stack:

./vulnerable AAAA%08x.%08x.%08x.%08x
This is how you print correctly:
AAAA%08x.%08x.%08x.%08x
This is how not to print:
AAAA.XXXXXXXX.XXXXXXXX.XXXXXXXX.41414141
some_value @ 0x08049794 = -72 [0xffffffb8]

Writing to arbitrary memory addresses

You can use the %n format specifier to write to an arbitrary address (almost). Again, let's assume our vulnerable program above, and let's try changing the value of some_value, which is located at 0x08049794, as seen above:

./vulnerable $(printf "\x94\x97\x04\x08")%08x.%08x.%08x.%n
This is how you print correctly:
??%08x.%08x.%08x.%n
This is how not to print:
??XXXXXXXX.XXXXXXXX.XXXXXXXX.
some_value @ 0x08049794 = 31 [0x0000001f]

We've overwritten some_value with the number of bytes written before the %n specifier was encountered (man printf). We can use the format string itself, or field width to control this value:

./vulnerable $(printf "\x94\x97\x04\x08")%x%x%x%n
This is how you print correctly:
??%x%x%x%n
This is how not to print:
??XXXXXXXXXXXXXXXXXXXXXXXX
some_value @ 0x08049794 = 21 [0x00000015]

There are many possibilities and tricks to try (direct parameter access, large field width making wrap-around possible, building your own primitives), and this just touches the tip of the iceberg. I would suggest reading more articles on fmt string vulnerabilities (Phrack has some mostly excellent ones, although they may be a little advanced) or a book which touches on the subject.


Disclaimer: the examples are taken [although not verbatim] from the book Hacking: The art of exploitation (2nd ed) by Jon Erickson.

2 of 6
21

It is interesting that no-one has mentioned the n$ notation supported by POSIX. If you can control the format string as the attacker, you can use notations such as:

"%200$p"

to read the 200th item on the stack (if there is one). The intention is that you should list all the n$ numbers from 1 to the maximum, and it provides a way of resequencing how the parameters appear in a format string, which is handy when dealing with I18N (L10N, G11N, M18N*).

However, some (probably most) systems are somewhat lackadaisical about how they validate the n$ values and this can lead to abuse by attackers who can control the format string. Combined with the %n format specifier, this can lead to writing at pointer locations.


* The acronyms I18N, L10N, G11N and M18N are for internationalization, localization, globalization, and multinationalization respectively. The number represents the number of omitted letters.

Discussions

Confused about format string vulnerability explanation
Could you provide an excerpt so people can look at it? More on reddit.com
🌐 r/netsecstudents
7
12
January 13, 2022
Be Careful with Python's New-Style String Format
I think the problem is not the new-style string format, every input or output must be sanitized if you want keep it safe. If somebody has access to execute a script you already are vulnerable. It's one more thing to escape :/ This CTF questions show how to access python base class easily https://hexplo.it/escaping-the-csawctf-python-sandbox/ More on reddit.com
🌐 r/Python
32
87
December 29, 2016
Format string vulnerability

Someone more enlightened than me can correct me if I'm wrong, but I guess that's because when you use %x you're printing the address to the string, not the string itself.

More on reddit.com
🌐 r/oscp
6
2
August 23, 2022
Format string vulnerability - setting to hex 1
%n writes the number of bytes already output, so A%n will write a value of 1 to the address in the next argument. More on reddit.com
🌐 r/LiveOverflow
7
6
November 29, 2021
🌐
Medium
medium.com › @n80fr1n60 › format-string-vulnerabilities-explained-from-the-bottom-up-for-32-bit-linux-part-1-3a1c4ca0dff
Format String Vulnerabilities -Explained From the Bottom Up for 32-bit Linux (part 1) | by n80fr1n60 | Medium
August 15, 2021 - Up until 2019 this kind of ... be considered resurrected . The Format string vulnerability is a bug predominantly found in the printf() family of functions ....
🌐
USF
myweb.usf.edu › ~kevindennis › wcsc › format.pdf pdf
Format String Vulnerabilities
visibility: format strings are rated as “easy to find” while buffer overflows are “sometimes very · difficult to spot”. This is my guess why StackGuard isn’t widely deployed: with the introduction of · the ‘-Wformat’ warning in GCC, printf vulnerabilities/bugs are incredibly easy to solve.
🌐
OWASP Foundation
owasp.org › www-community › attacks › Format_string_attack
Format string attack | OWASP Foundation
For example, if the printf function is used to print the username inserted in some fields of the page, the website could be vulnerable to this kind of attack, as showed below: ... Following are some examples of Format Functions, which if not treated, can expose the application to the Format String ...
🌐
Wikidata
wikidata.org › wiki › Q1133472
format string attack - Wikidata
type of software vulnerability · uncontrolled format string edit · subclass of · vulnerability · 0 references · described by source · Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edition · chapter · 4 · section · 4.4.2 ·
🌐
Mahaloz
ctf-wiki.mahaloz.re › pwn › linux › fmtstr › fmtstr_intro
Format String Vulnerability Principle - CTF Wiki EN
In the beginning, we will give a basic introduction to formatting strings, and here are some more detailed content. We said above that the format string function is parsed according to the format string function. Then the corresponding number of parameters to be parsed is naturally controlled by this format string.
Find elsewhere
🌐
CTF Handbook
ctf101.org › binary-exploitation › what-is-a-format-string-vulnerability
Format String Vulnerability - CTF Handbook
A format string vulnerability is a bug where user input is passed as the format argument to printf, scanf, or another function in that family.
🌐
Buffer Overflows
bufferoverflows.net › home › format string vulnerability: what, when and how?
Format String Vulnerability: What, When and How? | Buffer Overflows
May 9, 2019 - if the printf function doesn’t have a format string and the variable controlled by the user is passed to the function directly, it leads to a format string vulnerability.
🌐
Medium
medium.com › @danielorihuelarodriguez › format-string-vulnerability-439acbe81ddf
Format string vulnerability. What’s a format string vulnerability? | by DanielOrihuela | Medium
November 5, 2024 - A format string vulnerability is a type of bug that can happen when we process user input with format strings. For example, C has several functions that allow it to do that. One of them is printf (e.g. printf("I am %i years old", 999);).
🌐
Wallarm
wallarm.com › what › format-string-vulnerability
✋Format String Vulnerability - Types, Examples, Prevention
June 26, 2025 - ... C accepts several types of arguments to print an output. It becomes vulnerable when a user-controlled program receives an intentional or unintentional input, breaking the code.
🌐
Hacking Lab
hackinglab.cz › en › blog › format-string-vulnerability
Format String Vulnerability - Hacking Lab
October 21, 2024 - Since the late 1990s, the vulnerability of format strings has been known to the public and is still used to this day. When exploited, an attacker can modify memory and even execute custom code in addition to reading memory. This article discusses ...
🌐
DEV Community
dev.to › duracellrabbid › journey-to-understand-format-string-attack-part-1-5dda
Journey to understand format string attack (Part 1) - DEV Community
October 4, 2024 - Basically, the vulnerability happens when you forgot to put arguments for the format specifiers when using printf, snprintf, etc. Without the arguments, these functions will just be reading off the stack like nobody's business.
🌐
Wikipedia
en.wikipedia.org › wiki › Przemysław_Frasunek
Przemysław Frasunek - Wikipedia
July 23, 2025 - He has been a frequent Bugtraq poster since late in the 1990s, noted for one of the first published successful software exploits for the format string bug class of attacks, just after the first exploit of the person using nickname tf8. Until that time the vulnerability was thought harmless.
🌐
Stanford
cs155.stanford.edu › papers › formatstring-1.2.pdf pdf
Exploiting Format String Vulnerabilities scut / team teso September 1, 2001
September 1, 2001 - Type 1 (as in Linux rpc.statd, IRIX telnetd). Here the vulnerability lies · in the second parameter to the syslog function. The format string is partly
🌐
Bi0s
wiki.bi0s.in › pwning › format-string › fmt
Format String Vulnerability
The format string vulnerability is seen in the incorrect use of printf() function in C.
🌐
Security Boulevard
securityboulevard.com › home › security bloggers network › format string vulnerabilities: use and definitions
Format String Vulnerabilities: Use and Definitions - Security Boulevard
September 30, 2020 - Next, we will understand what kind of mistakes cause format string vulnerabilities by exploring some examples and finally we will discuss various risks that Format String vulnerabilities bring with them.
🌐
GeeksforGeeks
geeksforgeeks.org › c language › format-string-vulnerability-and-prevention-with-example
Format String Vulnerability and Prevention with Example - GeeksforGeeks
March 7, 2024 - There are several format strings that specify output in C and many other programming languages but our focus is on C. Format string vulnerabilities are a class of bug that take advantage of an easily avoidable programmer error.
🌐
Syracuse University
surface.syr.edu › cgi › viewcontent.cgi pdf
Buffer Overflow and Format String Overflow Vulnerabilities
The four techniques below, by [33, 40], show how to exploit format string overflow vulnerability. ... Copyright c⃝2002 John Wiley & Sons, Ltd. Softw. Pract. Exper. 2002; 00:1–7 ... K. LHEE AND S. J. CHAPIN ... Figure 28. Activation record of printf(“format %s%d”, s, i) that has three parameters: the format