🌐
GeeksforGeeks
geeksforgeeks.org › c language › format-string-vulnerability-and-prevention-with-example
Format String Vulnerability and Prevention with Example - GeeksforGeeks
March 7, 2024 - There are several format strings that specify output in C and many other programming languages but our focus is on C. Format string vulnerabilities are a class of bug that take advantage of an easily avoidable programmer error.
🌐
Medium
medium.com › @jhjaksimsam2 › test-how-to-practice-format-string-attack-in-your-linux-f76abb16d910
How to practice Format String Attack in your Linux | by JDK | Medium
June 21, 2019 - How to practice Format String Attack in your Linux You can execute root privilege commands in user mode in Linux. For that, we would use the concept of Format String Attack. If you’ve ever …
Discussions

c - How can a Format-String vulnerability be exploited? - Stack Overflow
I was reading about vulnerabilities in code and came across this Format-String Vulnerability. Wikipedia says: Format string bugs most commonly appear when a programmer wishes to print a string More on stackoverflow.com
🌐 stackoverflow.com
How exactly do format string vulnerabilities works [C]?
The idea is that you are advancing printf's stack pointer internally towards a memory location with our payload. Internally printf has a stack of arguments that are passed into. Using %x you can advance down the stack until you get to the right location in memory (looks like it's 0x988 in this case). Once you put the stack pointer at that location you use %n to write some data into memory. This is basically where we launch our attack and try to take over, the next instruction becomes our payload after printf and exploit() starts running at that point. The first link below has a good explanation of how the stack pointer is advanced towards the payload and the second goes a little more in-depth on how the attack works at the assembly/memory level. http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf http://codearcana.com/posts/2013/05/02/introduction-to-format-string-exploits.html The short story is you're abusing the fact that memory is contiguous as far as your app is concerned to predict where important variables are in memory and then further abusing how printf works to force it to write over it's own stack. You can fire up GDB and use the j, x, set and disas commands (among others) to take a peek at the assembly of a running program and mess around with it if you're so inclined. More on reddit.com
🌐 r/learnprogramming
6
1
June 14, 2017
Format string attack

As you found, %x will pop bytes off the call stack. %08x will print 4 bytes and you can enter multiples of these to walk up the stack.

You now have addresses on the stack and you can print the contents of that memory with %s.

By chance have you tried %n? It should cause a write.

Check this paper for more info https://cs155.stanford.edu/papers/formatstring-1.2.pdf

More on reddit.com
🌐 r/HowToHack
1
7
January 30, 2022
Confused about format string vulnerability explanation
Could you provide an excerpt so people can look at it? More on reddit.com
🌐 r/netsecstudents
7
12
January 13, 2022
🌐
GeeksforGeeks
geeksforgeeks.org › vulnerability-in-str-format-in-python
Vulnerability in str.format() in Python | GeeksforGeeks
January 6, 2025 - This means a user can manipulate the input to access sensitive data, like the CONFIG dictionary. This creates a security risk because attackers could retrieve information they should not have access to.
🌐
OWASP Foundation
owasp.org › www-community › attacks › Format_string_attack
Format string attack | OWASP Foundation
The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, ...
🌐
CTF Handbook
ctf101.org › binary-exploitation › what-is-a-format-string-vulnerability
Format String Vulnerability - CTF Handbook
A format string vulnerability is a bug where user input is passed as the format argument to printf, scanf, or another function in that family. The format argument has many different specifiers which could allow an attacker to leak data if they control the format argument to printf.
🌐
DEV Community
dev.to › duracellrabbid › journey-to-understand-format-string-attack-part-1-5dda
Journey to understand format string attack (Part 1) - DEV Community
October 4, 2024 - Basically, the vulnerability happens when you forgot to put arguments for the format specifiers when using printf, snprintf, etc. Without the arguments, these functions will just be reading off the stack like nobody's business.
🌐
Medium
medium.com › @jhjaksimsam2 › what-is-format-string-attack-how-to-prevent-this-attack-59b480ce9989
What is Format String attack? How to prevent this attack. | by JDK | Medium
June 21, 2019 - Format String Attack generates an error when a developer accidentally write a printf() code without a variable, And hacker can use this error to steal the root.
Find elsewhere
🌐
Invicti
invicti.com › blog › web-security › format-string-vulnerabilities
What Are Format String Vulnerabilities?
By crafting format strings that contain a specific number of bytes, attackers can read memory from arbitrary addresses. This is already a critical buffer overread vulnerability that can be used to extract information and prepare other attacks ...
🌐
Twingate
twingate.com › home › blog › what is a format string attack? how it works & examples
What is a Format String Attack? How It Works & Examples | Twingate
August 7, 2024 - Attackers craft input that includes these format specifiers, which the vulnerable application then processes. For instance, if a program executes printf(user_input) without validation, an attacker can input a string like %x %x %x to read memory contents...
🌐
Medium
medium.com › @danielorihuelarodriguez › format-string-vulnerability-439acbe81ddf
Format string vulnerability. What’s a format string vulnerability? | by DanielOrihuela | Medium
November 5, 2024 - A format string vulnerability is a type of bug that can happen when we process user input with format strings. For example, C has several functions that allow it to do that. One of them is printf (e.g. printf("I am %i years old", 999);). An ...
🌐
GitHub
github.com › OWASP › www-community › blob › master › pages › attacks › Format_string_attack.md
www-community/pages/attacks/Format_string_attack.md at master · OWASP/www-community
The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, ...
Author   OWASP
🌐
Stanford
cs155.stanford.edu › papers › formatstring-1.2.pdf pdf
Exploiting Format String Vulnerabilities scut / team teso September 1, 2001
September 1, 2001 - In the examples below, the string user is supplied by the attacker — he · can control the entire ASCIIZ-string, for example through using a command · line parameter. 2.2 · The format function family · 5 · Wrong usage: int · func (char *user) { printf (user); } Ok: int ·
Top answer
1 of 6
98

You may be able to exploit a format string vulnerability in many ways, directly or indirectly. Let's use the following as an example (assuming no relevant OS protections, which is very rare anyways):

int main(int argc, char **argv)
{
    char text[1024];
    static int some_value = -72;

    strcpy(text, argv[1]); /* ignore the buffer overflow here */

    printf("This is how you print correctly:\n");
    printf("%s", text);
    printf("This is how not to print:\n");
    printf(text);

    printf("some_value @ 0x%08x = %d [0x%08x]", &some_value, some_value, some_value);
    return(0);
}

The basis of this vulnerability is the behaviour of functions with variable arguments. A function which implements handling of a variable number of parameters has to read them from the stack, essentially. If we specify a format string that will make printf() expect two integers on the stack, and we provide only one parameter, the second one will have to be something else on the stack. By extension, and if we have control over the format string, we can have the two most fundamental primitives:


Reading from arbitrary memory addresses

[EDIT] IMPORTANT: I'm making some assumptions about the stack frame layout here. You can ignore them if you understand the basic premise behind the vulnerability, and they vary across OS, platform, program and configuration anyways.

It's possible to use the %s format parameter to read data. You can read the data of the original format string in printf(text), hence you can use it to read anything off the stack:

./vulnerable AAAA%08x.%08x.%08x.%08x
This is how you print correctly:
AAAA%08x.%08x.%08x.%08x
This is how not to print:
AAAA.XXXXXXXX.XXXXXXXX.XXXXXXXX.41414141
some_value @ 0x08049794 = -72 [0xffffffb8]

Writing to arbitrary memory addresses

You can use the %n format specifier to write to an arbitrary address (almost). Again, let's assume our vulnerable program above, and let's try changing the value of some_value, which is located at 0x08049794, as seen above:

./vulnerable $(printf "\x94\x97\x04\x08")%08x.%08x.%08x.%n
This is how you print correctly:
??%08x.%08x.%08x.%n
This is how not to print:
??XXXXXXXX.XXXXXXXX.XXXXXXXX.
some_value @ 0x08049794 = 31 [0x0000001f]

We've overwritten some_value with the number of bytes written before the %n specifier was encountered (man printf). We can use the format string itself, or field width to control this value:

./vulnerable $(printf "\x94\x97\x04\x08")%x%x%x%n
This is how you print correctly:
??%x%x%x%n
This is how not to print:
??XXXXXXXXXXXXXXXXXXXXXXXX
some_value @ 0x08049794 = 21 [0x00000015]

There are many possibilities and tricks to try (direct parameter access, large field width making wrap-around possible, building your own primitives), and this just touches the tip of the iceberg. I would suggest reading more articles on fmt string vulnerabilities (Phrack has some mostly excellent ones, although they may be a little advanced) or a book which touches on the subject.


Disclaimer: the examples are taken [although not verbatim] from the book Hacking: The art of exploitation (2nd ed) by Jon Erickson.

2 of 6
21

It is interesting that no-one has mentioned the n$ notation supported by POSIX. If you can control the format string as the attacker, you can use notations such as:

"%200$p"

to read the 200th item on the stack (if there is one). The intention is that you should list all the n$ numbers from 1 to the maximum, and it provides a way of resequencing how the parameters appear in a format string, which is handy when dealing with I18N (L10N, G11N, M18N*).

However, some (probably most) systems are somewhat lackadaisical about how they validate the n$ values and this can lead to abuse by attackers who can control the format string. Combined with the %n format specifier, this can lead to writing at pointer locations.


* The acronyms I18N, L10N, G11N and M18N are for internationalization, localization, globalization, and multinationalization respectively. The number represents the number of omitted letters.

🌐
Medium
infosecwriteups.com › exploiting-format-string-vulnerability-97e3d588da1b
EXPLOITING FORMAT STRING VULNERABILITY | by AidenPearce369 | InfoSec Write-ups
January 18, 2024 - A Format String attack can occur when an input string data is processed by a vulnerable function so that attacker can pass the formats to exploit the stack values with the help of format string functions/printf() family functions
🌐
Codearcana
codearcana.com › posts › 2013 › 05 › 02 › introduction-to-format-string-exploits.html
Introduction to format string exploits
May 2, 2013 - Since printf has a variable number of arguments, it must use the format string to determine the number of arguments. In the case above, the attacker can pass the string "%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p" and fool the printf into thinking it has 15 arguments.
🌐
Fengweiz
fengweiz.github.io › 20fa-cs315 › labs › lab3-slides-format-string.pdf pdf
Format-String Vulnerability Instructor: Fengwei Zhang 1 SUSTech
Attack 1 : Crash Program · ●User input: %s%s%s%s%s%s%s%s · ●printf() parses the format string. ●For each %s, it fetches a value where va_list points to · and advances va_list to the next position. ●As we give %s, printf() treats the value as address and ·
🌐
Digipen
faculty.digipen.edu › ~dvolper › copies › tn-usfs.pdf pdf
white paper Format String Attacks Tim Newsham Guardent, Inc. September 2000
Instead, the string is interpreted by the printf function as a format string. It is scanned for · special format characters such as "%d". As formats are encountered, a variable number of argument · values are retrieved from the stack. At the least, it should be obvious that an attacker can peek into