type of software vulnerability
Uncontrolled format string is a type of code injection vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a … Wikipedia
🌐
Wikipedia
en.wikipedia.org › wiki › Uncontrolled_format_string
Uncontrolled format string - Wikipedia
December 21, 2025 - Uncontrolled format string is a type of code injection vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user ...
Top answer
1 of 6
98

You may be able to exploit a format string vulnerability in many ways, directly or indirectly. Let's use the following as an example (assuming no relevant OS protections, which is very rare anyways):

int main(int argc, char **argv)
{
    char text[1024];
    static int some_value = -72;

    strcpy(text, argv[1]); /* ignore the buffer overflow here */

    printf("This is how you print correctly:\n");
    printf("%s", text);
    printf("This is how not to print:\n");
    printf(text);

    printf("some_value @ 0x%08x = %d [0x%08x]", &some_value, some_value, some_value);
    return(0);
}

The basis of this vulnerability is the behaviour of functions with variable arguments. A function which implements handling of a variable number of parameters has to read them from the stack, essentially. If we specify a format string that will make printf() expect two integers on the stack, and we provide only one parameter, the second one will have to be something else on the stack. By extension, and if we have control over the format string, we can have the two most fundamental primitives:


Reading from arbitrary memory addresses

[EDIT] IMPORTANT: I'm making some assumptions about the stack frame layout here. You can ignore them if you understand the basic premise behind the vulnerability, and they vary across OS, platform, program and configuration anyways.

It's possible to use the %s format parameter to read data. You can read the data of the original format string in printf(text), hence you can use it to read anything off the stack:

./vulnerable AAAA%08x.%08x.%08x.%08x
This is how you print correctly:
AAAA%08x.%08x.%08x.%08x
This is how not to print:
AAAA.XXXXXXXX.XXXXXXXX.XXXXXXXX.41414141
some_value @ 0x08049794 = -72 [0xffffffb8]

Writing to arbitrary memory addresses

You can use the %n format specifier to write to an arbitrary address (almost). Again, let's assume our vulnerable program above, and let's try changing the value of some_value, which is located at 0x08049794, as seen above:

./vulnerable $(printf "\x94\x97\x04\x08")%08x.%08x.%08x.%n
This is how you print correctly:
??%08x.%08x.%08x.%n
This is how not to print:
??XXXXXXXX.XXXXXXXX.XXXXXXXX.
some_value @ 0x08049794 = 31 [0x0000001f]

We've overwritten some_value with the number of bytes written before the %n specifier was encountered (man printf). We can use the format string itself, or field width to control this value:

./vulnerable $(printf "\x94\x97\x04\x08")%x%x%x%n
This is how you print correctly:
??%x%x%x%n
This is how not to print:
??XXXXXXXXXXXXXXXXXXXXXXXX
some_value @ 0x08049794 = 21 [0x00000015]

There are many possibilities and tricks to try (direct parameter access, large field width making wrap-around possible, building your own primitives), and this just touches the tip of the iceberg. I would suggest reading more articles on fmt string vulnerabilities (Phrack has some mostly excellent ones, although they may be a little advanced) or a book which touches on the subject.


Disclaimer: the examples are taken [although not verbatim] from the book Hacking: The art of exploitation (2nd ed) by Jon Erickson.

2 of 6
21

It is interesting that no-one has mentioned the n$ notation supported by POSIX. If you can control the format string as the attacker, you can use notations such as:

"%200$p"

to read the 200th item on the stack (if there is one). The intention is that you should list all the n$ numbers from 1 to the maximum, and it provides a way of resequencing how the parameters appear in a format string, which is handy when dealing with I18N (L10N, G11N, M18N*).

However, some (probably most) systems are somewhat lackadaisical about how they validate the n$ values and this can lead to abuse by attackers who can control the format string. Combined with the %n format specifier, this can lead to writing at pointer locations.


* The acronyms I18N, L10N, G11N and M18N are for internationalization, localization, globalization, and multinationalization respectively. The number represents the number of omitted letters.

Discussions

Confused about format string vulnerability explanation
Could you provide an excerpt so people can look at it? More on reddit.com
🌐 r/netsecstudents
7
12
January 13, 2022
Be Careful with Python's New-Style String Format
I think the problem is not the new-style string format, every input or output must be sanitized if you want keep it safe. If somebody has access to execute a script you already are vulnerable. It's one more thing to escape :/ This CTF questions show how to access python base class easily https://hexplo.it/escaping-the-csawctf-python-sandbox/ More on reddit.com
🌐 r/Python
32
87
December 29, 2016
Format string vulnerability

Someone more enlightened than me can correct me if I'm wrong, but I guess that's because when you use %x you're printing the address to the string, not the string itself.

More on reddit.com
🌐 r/oscp
6
2
August 23, 2022
Format string vulnerability - setting to hex 1
%n writes the number of bytes already output, so A%n will write a value of 1 to the address in the next argument. More on reddit.com
🌐 r/LiveOverflow
7
6
November 29, 2021
🌐
Medium
medium.com › @n80fr1n60 › format-string-vulnerabilities-explained-from-the-bottom-up-for-32-bit-linux-part-1-3a1c4ca0dff
Format String Vulnerabilities -Explained From the Bottom Up for 32-bit Linux (part 1) | by n80fr1n60 | Medium
August 15, 2021 - Up until 2019 this kind of ... be considered resurrected . The Format string vulnerability is a bug predominantly found in the printf() family of functions ....
🌐
OWASP Foundation
owasp.org › www-community › attacks › Format_string_attack
Format string attack | OWASP Foundation
The first line is printed from the non-vulnerable version of printf, and the second line from the vulnerable line. The values printed after the “Hello World” text, are the values on the stack of my computer at the moment of running this example. Also reading and writing to any memory location is possible in some conditions, and even code execution. For more information, please see the Exploiting Format String Vulnerabilities article from 2001.
🌐
CTF Handbook
ctf101.org › binary-exploitation › what-is-a-format-string-vulnerability
Format String Vulnerability - CTF Handbook
A format string vulnerability is a bug where user input is passed as the format argument to printf, scanf, or another function in that family.
🌐
Wikidata
wikidata.org › wiki › Q1133472
format string attack - Wikidata
type of software vulnerability · uncontrolled format string edit · subclass of · vulnerability · 0 references · described by source · Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edition · chapter · 4 · section · 4.4.2 ·
🌐
USF
myweb.usf.edu › ~kevindennis › wcsc › format.pdf pdf
Format String Vulnerabilities
field, the ​parameter field​, that is available in POSIX’s implementation of gcc. The wikipedia page · for the printf format string is very helpful, and includes a good description of this field.
Find elsewhere
🌐
Mahaloz
ctf-wiki.mahaloz.re › pwn › linux › fmtstr › fmtstr_intro
Format String Vulnerability Principle - CTF Wiki EN
For example, '%s' indicates that we will output a string argument. Let’s continue with the above example as an example. ... For such an example, before entering the printf function (that is, printf has not been called yet), the layout on the stack from high address to low address is as follows · some value 3.14 123456 addr of "red" addr of format string: Color %s...
🌐
Hacking Lab
hackinglab.cz › en › blog › format-string-vulnerability
Format String Vulnerability - Hacking Lab
October 21, 2024 - When exploited, an attacker can modify memory and even execute custom code in addition to reading memory. This article discusses the principle and possibilities of exploiting format string vulnerabilities, particularly in the C and C++ languages.
🌐
Medium
medium.com › @danielorihuelarodriguez › format-string-vulnerability-439acbe81ddf
Format string vulnerability. What’s a format string vulnerability? | by DanielOrihuela | Medium
November 5, 2024 - A format string vulnerability is a type of bug that can happen when we process user input with format strings. For example, C has several functions that allow it to do that. One of them is printf (e.g. printf("I am %i years old", 999);).
🌐
Buffer Overflows
bufferoverflows.net › home › format string vulnerability: what, when and how?
Format String Vulnerability: What, When and How? | Buffer Overflows
May 9, 2019 - if the printf function doesn’t have a format string and the variable controlled by the user is passed to the function directly, it leads to a format string vulnerability.
🌐
DEV Community
dev.to › duracellrabbid › journey-to-understand-format-string-attack-part-1-5dda
Journey to understand format string attack (Part 1) - DEV Community
October 4, 2024 - Basically, the vulnerability happens when you forgot to put arguments for the format specifiers when using printf, snprintf, etc. Without the arguments, these functions will just be reading off the stack like nobody's business.
🌐
Wallarm
wallarm.com › what › format-string-vulnerability
✋Format String Vulnerability - Types, Examples, Prevention
June 26, 2025 - ... C accepts several types of arguments to print an output. It becomes vulnerable when a user-controlled program receives an intentional or unintentional input, breaking the code.
🌐
Wikipedia
en.wikipedia.org › wiki › Przemysław_Frasunek
Przemysław Frasunek - Wikipedia
July 23, 2025 - He has been a frequent Bugtraq poster since late in the 1990s, noted for one of the first published successful software exploits for the format string bug class of attacks, just after the first exploit of the person using nickname tf8. Until that time the vulnerability was thought harmless.
🌐
Bi0s
wiki.bi0s.in › pwning › format-string › fmt
Format String Vulnerability
The format string vulnerability is seen in the incorrect use of printf() function in C.
🌐
Stanford
cs155.stanford.edu › papers › formatstring-1.2.pdf pdf
Exploiting Format String Vulnerabilities scut / team teso September 1, 2001
September 1, 2001 - Type 1 (as in Linux rpc.statd, IRIX telnetd). Here the vulnerability lies · in the second parameter to the syslog function. The format string is partly
🌐
Security Boulevard
securityboulevard.com › home › security bloggers network › format string vulnerabilities: use and definitions
Format String Vulnerabilities: Use and Definitions - Security Boulevard
September 30, 2020 - In the previous article, we understood how print functions like printf work. This article provides further definition of Format String vulnerabilities. We will begin by discussing how Format Strings can be used in an unusual way, which is a starting point to understanding Format String exploits.
🌐
GeeksforGeeks
geeksforgeeks.org › c language › format-string-vulnerability-and-prevention-with-example
Format String Vulnerability and Prevention with Example - GeeksforGeeks
March 7, 2024 - There are several format strings that specify output in C and many other programming languages but our focus is on C. Format string vulnerabilities are a class of bug that take advantage of an easily avoidable programmer error.