๐ŸŒ
OWASP Foundation
owasp.org โ€บ www-community โ€บ attacks โ€บ Format_string_attack
Format string attack | OWASP Foundation
To discover whether the application is vulnerable to this type of attack, itโ€™s necessary to verify if the format function accepts and parses the format string parameters shown in table 2.
๐ŸŒ
IEEE Xplore
ieeexplore.ieee.org โ€บ document โ€บ 4413006
Automated Format String Attack Prevention for Win32/X86 Binaries | IEEE Conference Publication | IEEE Xplore
Lisbon casts the format string attack prevention problem as an input argument list bound checking problem. To reduce the run-time checking overhead, Lisbon exploits the debug register hardware, which is available in most mainstream CPUs including ...
Discussions

Protection from Format String Vulnerability - Stack Overflow
What exactly is a "Format String Vulnerability" in a Windows System, how does it work, and how can I protect against it? More on stackoverflow.com
๐ŸŒ stackoverflow.com
c - How can a Format-String vulnerability be exploited? - Stack Overflow
I was reading about vulnerabilities in code and came across this Format-String Vulnerability. Wikipedia says: Format string bugs most commonly appear when a programmer wishes to print a string More on stackoverflow.com
๐ŸŒ stackoverflow.com
How exactly do format string vulnerabilities works [C]?
The idea is that you are advancing printf's stack pointer internally towards a memory location with our payload. Internally printf has a stack of arguments that are passed into. Using %x you can advance down the stack until you get to the right location in memory (looks like it's 0x988 in this case). Once you put the stack pointer at that location you use %n to write some data into memory. This is basically where we launch our attack and try to take over, the next instruction becomes our payload after printf and exploit() starts running at that point. The first link below has a good explanation of how the stack pointer is advanced towards the payload and the second goes a little more in-depth on how the attack works at the assembly/memory level. http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf http://codearcana.com/posts/2013/05/02/introduction-to-format-string-exploits.html The short story is you're abusing the fact that memory is contiguous as far as your app is concerned to predict where important variables are in memory and then further abusing how printf works to force it to write over it's own stack. You can fire up GDB and use the j, x, set and disas commands (among others) to take a peek at the assembly of a running program and mess around with it if you're so inclined. More on reddit.com
๐ŸŒ r/learnprogramming
6
1
June 14, 2017
Format string attack

As you found, %x will pop bytes off the call stack. %08x will print 4 bytes and you can enter multiples of these to walk up the stack.

You now have addresses on the stack and you can print the contents of that memory with %s.

By chance have you tried %n? It should cause a write.

Check this paper for more info https://cs155.stanford.edu/papers/formatstring-1.2.pdf

More on reddit.com
๐ŸŒ r/HowToHack
1
7
January 30, 2022
๐ŸŒ
GeeksforGeeks
geeksforgeeks.org โ€บ c language โ€บ format-string-vulnerability-and-prevention-with-example
Format String Vulnerability and Prevention with Example - GeeksforGeeks
March 7, 2024 - There are several format strings that specify output in C and many other programming languages but our focus is on C. Format string vulnerabilities are a class of bug that take advantage of an easily avoidable programmer error. If the programmer passes an attacker-controlled buffer as an argument to a printf (or any of the related functions, including sprintf, fprintf, etc), the attacker can perform writes to arbitrary memory addresses.
๐ŸŒ
University of Washington
homes.cs.washington.edu โ€บ ~djg โ€บ papers โ€บ format_string.pdf pdf
Preventing Format-String Attacks via Automatic and Ef๏ฌcient Dynamic Checking
In both sections, we compare our results with Format- Guard [6]. FormatGuard is similar to our approach in that ยท it combines compile-time source transformations with run- time checks (see Section 5.1 for more details). It has proven ยท e๏ฌ€ective at preventing many format-string vulnerabilities.
๐ŸŒ
Wallarm
wallarm.com โ€บ what โ€บ format-string-vulnerability
โœ‹Format String Vulnerability - Types, Examples, Prevention
June 26, 2025 - Never ignoring compiler warning is also a great format string attack prevention technique to try on. During the development, compilers notify the developers of the presence of vulnerable functions.
๐ŸŒ
CTF Handbook
ctf101.org โ€บ binary-exploitation โ€บ what-is-a-format-string-vulnerability
Format String Vulnerability - CTF Handbook
For example, if we can make the format argument "%x.%x.%x.%x", printf will pop off four stack values and print them in hexadecimal, potentially leaking sensitive information. printf can also index to an arbitrary "argument" with the following syntax: "%n$x" (where n is the decimal index of the argument you want). While these bugs are powerful, they're very rare nowadays, as all modern compilers warn when printf is called with a non-constant string.
๐ŸŒ
Startupdefense
startupdefense.io โ€บ cyberattacks โ€บ format-string-attack
Format String Attack: Risks, Prevention, and Security
โ€ข OWASP Juice Shop โ€“ This intentionally vulnerable application allows you to explore numerous vulnerabilities, including format string attacks, in a controlled setting. By diving into these resources, you'll become well-equipped to tackle and prevent format string attacks.
Find elsewhere
๐ŸŒ
Infosec Institute
infosecinstitute.com โ€บ resources โ€บ secure-coding โ€บ how-to-mitigate-format-string-vulnerabilities
How to mitigate Format String Vulnerabilities | Infosec
Writing secure code is the best way to prevent Format String vulnerabilities since the root cause of Format String vulnerabilities is insecure coding. When programs are written in languages that are susceptible to Format String vulnerabilities, developers must be aware of risky functions and ...
๐ŸŒ
Hacking Lab
hackinglab.cz โ€บ en โ€บ blog โ€บ format-string-vulnerability
Format String Vulnerability - Hacking Lab
October 21, 2024 - When writing new programs, it is therefore necessary to be careful to use format strings correctly, ideally leaving them static, and if this is not possible, to check carefully for user input.
Top answer
1 of 2
4

A format string attack, at its simplest, is this:

char buffer[128];
gets(buffer);
printf(buffer);

There's a buffer overflow vulnerability in there as well, but the point is this: you're passing untrusted data (from the user) to printf (or one of its cousins) that uses that argument as a format string.

That is: if the user types in "%s", you've got an information-disclosure vulnerability, because printf will treat the user input as a format string, and will attempt to print the next thing on the stack as a string. It's as if your code said printf("%s");. Since you didn't pass any other arguments to printf, it'll display something arbitrary.

If the user types in "%n", you've got a potential elevation of privilege attack (at least a denial of service attack), because the %n format string causes printf to write the number of characters printed so far to the next location on the stack. Since you didn't give it a place to put this value, it'll write to somewhere arbitrary.

This is all bad, and is one reason why you should be extremely careful when using printf and cousins.

What you should do is this:

printf("%s", buffer);

This means that the user's input is never treated as a format string, so you're safe from that particular attack vector.

In Visual C++, you can use the __Format_string annotation to tell it to validate the arguments to printf. %n is disallowed by default. In GCC, you can use __attribute__(__printf__) for the same thing.

2 of 2
2

In this pseudo code the user enters some characters to be printed, like "hello"

string s=getUserInput();
write(s)

That works as intended. But since the write can format strings, for example

int i=getUnits();
write("%02d units",i);

outputs: "03 units". What about if the user in the first place wrote "%02d"... since there is no parameters on the stack, something else will be fetched. What that is, and if that is a problem or not depends on the program.

An easy fix is to tell the program to output a string:

write("%s",s);

or use another method that don't try to format the string:

output(s);

a link to wikipedia with more info.

๐ŸŒ
Springer
link.springer.com โ€บ home โ€บ information security โ€บ conference paper
Transparent Run-Time Prevention of Format-String Attacks Via Dynamic Taint and Flexible Validation | Springer Nature Link
By leveraging library interposition and ELF binary analysis, we taint all the untrusted user-supplied data as well as their propagations during program execution, and add a security validation layer to the printf-family functions in C Standard Library in order to enforce a flexible policy to detect the format string attack on the basis of whether the format string has been tainted and contains dangerous format specifiers.
๐ŸŒ
Medium
medium.com โ€บ @jhjaksimsam2 โ€บ what-is-format-string-attack-how-to-prevent-this-attack-59b480ce9989
What is Format String attack? How to prevent this attack. | by JDK | Medium
June 21, 2019 - These format string store the number of bytes printed by printf() to int type pointer. %n store as 4bytes and %hn store as 2bytes. So if we give proper values in front of%n/%hn, %n%hn would consider that value as address and store the number of bytes printed at the corresponding address on the memory. There are several prevention methods that we can use:
๐ŸŒ
ResearchGate
researchgate.net โ€บ publication โ€บ 266404516_Coalesce_Model_to_Prevent_Format_String_Attacks
(PDF) Coalesce Model to Prevent Format String Attacks
May 5, 2011 - We propose preventing format-string attacks with a combination of static dataflow analysis and dynamic white-lists of safe address ranges.
๐ŸŒ
Comparitech
comparitech.com โ€บ home โ€บ blog โ€บ information security โ€บ format string attacks
What are format string attacks? (+ how to prevent them)
September 28, 2023 - This is known as a stack-smashing attack and, based on the application under attack and its execution environment, could lead to a root compromise of the OS itself. Preventing format string attacks means preventing format string vulnerabilities, which implies keeping certain things in mind while coding your C application.
๐ŸŒ
ResearchGate
researchgate.net โ€บ publication โ€บ 315615213_Automated_Format_String_Attack_Prevention_for_Win32X86_Binaries
Automated Format String Attack Prevention for Win32/X86 Binaries | Request PDF
December 1, 2007 - We propose preventing format-string attacks with a combination of static dataflow analysis and dynamic white-lists of safe address ranges.
๐ŸŒ
Beagle Security
beaglesecurity.com โ€บ blog โ€บ vulnerability โ€บ format-string-vulnerability.html
Format String Vulnerability
October 20, 2023 - Example: ... Validate and sanitize user input before it is used as a format string or any other part of a command. Ensure that user-provided data does not contain format specifiers (โ€œ%sโ€, โ€œ%nโ€, etc.). Run your software with the least ...
๐ŸŒ
Security Boulevard
securityboulevard.com โ€บ home โ€บ security bloggers network โ€บ how to mitigate format string vulnerabilities
How to mitigate Format String Vulnerabilities - Security Boulevard
September 29, 2020 - Writing secure code is the best way to prevent Format String vulnerabilities since the root cause of Format String vulnerabilities is insecure coding. When programs are written in languages that are susceptible to Format String vulnerabilities, ...
Top answer
1 of 6
98

You may be able to exploit a format string vulnerability in many ways, directly or indirectly. Let's use the following as an example (assuming no relevant OS protections, which is very rare anyways):

int main(int argc, char **argv)
{
    char text[1024];
    static int some_value = -72;

    strcpy(text, argv[1]); /* ignore the buffer overflow here */

    printf("This is how you print correctly:\n");
    printf("%s", text);
    printf("This is how not to print:\n");
    printf(text);

    printf("some_value @ 0x%08x = %d [0x%08x]", &some_value, some_value, some_value);
    return(0);
}

The basis of this vulnerability is the behaviour of functions with variable arguments. A function which implements handling of a variable number of parameters has to read them from the stack, essentially. If we specify a format string that will make printf() expect two integers on the stack, and we provide only one parameter, the second one will have to be something else on the stack. By extension, and if we have control over the format string, we can have the two most fundamental primitives:


Reading from arbitrary memory addresses

[EDIT] IMPORTANT: I'm making some assumptions about the stack frame layout here. You can ignore them if you understand the basic premise behind the vulnerability, and they vary across OS, platform, program and configuration anyways.

It's possible to use the %s format parameter to read data. You can read the data of the original format string in printf(text), hence you can use it to read anything off the stack:

./vulnerable AAAA%08x.%08x.%08x.%08x
This is how you print correctly:
AAAA%08x.%08x.%08x.%08x
This is how not to print:
AAAA.XXXXXXXX.XXXXXXXX.XXXXXXXX.41414141
some_value @ 0x08049794 = -72 [0xffffffb8]

Writing to arbitrary memory addresses

You can use the %n format specifier to write to an arbitrary address (almost). Again, let's assume our vulnerable program above, and let's try changing the value of some_value, which is located at 0x08049794, as seen above:

./vulnerable $(printf "\x94\x97\x04\x08")%08x.%08x.%08x.%n
This is how you print correctly:
??%08x.%08x.%08x.%n
This is how not to print:
??XXXXXXXX.XXXXXXXX.XXXXXXXX.
some_value @ 0x08049794 = 31 [0x0000001f]

We've overwritten some_value with the number of bytes written before the %n specifier was encountered (man printf). We can use the format string itself, or field width to control this value:

./vulnerable $(printf "\x94\x97\x04\x08")%x%x%x%n
This is how you print correctly:
??%x%x%x%n
This is how not to print:
??XXXXXXXXXXXXXXXXXXXXXXXX
some_value @ 0x08049794 = 21 [0x00000015]

There are many possibilities and tricks to try (direct parameter access, large field width making wrap-around possible, building your own primitives), and this just touches the tip of the iceberg. I would suggest reading more articles on fmt string vulnerabilities (Phrack has some mostly excellent ones, although they may be a little advanced) or a book which touches on the subject.


Disclaimer: the examples are taken [although not verbatim] from the book Hacking: The art of exploitation (2nd ed) by Jon Erickson.

2 of 6
21

It is interesting that no-one has mentioned the n$ notation supported by POSIX. If you can control the format string as the attacker, you can use notations such as:

"%200$p"

to read the 200th item on the stack (if there is one). The intention is that you should list all the n$ numbers from 1 to the maximum, and it provides a way of resequencing how the parameters appear in a format string, which is handy when dealing with I18N (L10N, G11N, M18N*).

However, some (probably most) systems are somewhat lackadaisical about how they validate the n$ values and this can lead to abuse by attackers who can control the format string. Combined with the %n format specifier, this can lead to writing at pointer locations.


* The acronyms I18N, L10N, G11N and M18N are for internationalization, localization, globalization, and multinationalization respectively. The number represents the number of omitted letters.

๐ŸŒ
Vickieli
vickieli.dev โ€บ binary exploitation โ€บ format-string-vulnerabilities
Format String Vulnerabilities - Vickie Liโ€™s Security Blog
August 9, 2020 - While modern countermeasures to binary exploits like address randomization help make exploiting format string vulnerabilities harder, the surefire way to prevent these vulnerabilities from happening is to implement format functions properly.