A format string attack, at its simplest, is this:

char buffer[128];
gets(buffer);
printf(buffer);

There's a buffer overflow vulnerability in there as well, but the point is this: you're passing untrusted data (from the user) to printf (or one of its cousins) that uses that argument as a format string.

That is: if the user types in "%s", you've got an information-disclosure vulnerability, because printf will treat the user input as a format string, and will attempt to print the next thing on the stack as a string. It's as if your code said printf("%s");. Since you didn't pass any other arguments to printf, it'll display something arbitrary.

If the user types in "%n", you've got a potential elevation of privilege attack (at least a denial of service attack), because the %n format string causes printf to write the number of characters printed so far to the next location on the stack. Since you didn't give it a place to put this value, it'll write to somewhere arbitrary.

This is all bad, and is one reason why you should be extremely careful when using printf and cousins.

What you should do is this:

printf("%s", buffer);

This means that the user's input is never treated as a format string, so you're safe from that particular attack vector.

In Visual C++, you can use the __Format_string annotation to tell it to validate the arguments to printf. %n is disallowed by default. In GCC, you can use __attribute__(__printf__) for the same thing.

Answer from Roger Lipscombe on Stack Overflow
🌐
Beagle Security
beaglesecurity.com › blog › vulnerability › format-string-vulnerability.html
Format String Vulnerability
October 20, 2023 - To mitigate format string vulnerabilities, developers should validate and sanitize user input, use safer alternatives like snprintf instead of vulnerable functions like printf, and implement strong input validation and access controls in their code.
🌐
Infosec Institute
infosecinstitute.com › resources › secure-coding › how-to-mitigate-format-string-vulnerabilities
How to mitigate Format String Vulnerabilities | Infosec
Writing secure code is the best way to prevent Format String vulnerabilities since the root cause of Format String vulnerabilities is insecure coding. When programs are written in languages that are susceptible to Format String vulnerabilities, developers must be aware of risky functions and ...
Discussions

Protection from Format String Vulnerability - Stack Overflow
What exactly is a "Format String Vulnerability" in a Windows System, how does it work, and how can I protect against it? ... Well, knowing how to attack helps in knowing how to defend/avoid the vulnerability. More on stackoverflow.com
🌐 stackoverflow.com
c++ - Is `std::format` vulnerable to format string attack? How to mitigate it? - Stack Overflow
I would like to refactor C style code using printf, fprintf, etc... to C++. Is std::format vulnerable to format string attack, as the aforementioned C functions? If I search for format string attac... More on stackoverflow.com
🌐 stackoverflow.com
How exactly do format string vulnerabilities works [C]?
The idea is that you are advancing printf's stack pointer internally towards a memory location with our payload. Internally printf has a stack of arguments that are passed into. Using %x you can advance down the stack until you get to the right location in memory (looks like it's 0x988 in this case). Once you put the stack pointer at that location you use %n to write some data into memory. This is basically where we launch our attack and try to take over, the next instruction becomes our payload after printf and exploit() starts running at that point. The first link below has a good explanation of how the stack pointer is advanced towards the payload and the second goes a little more in-depth on how the attack works at the assembly/memory level. http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf http://codearcana.com/posts/2013/05/02/introduction-to-format-string-exploits.html The short story is you're abusing the fact that memory is contiguous as far as your app is concerned to predict where important variables are in memory and then further abusing how printf works to force it to write over it's own stack. You can fire up GDB and use the j, x, set and disas commands (among others) to take a peek at the assembly of a running program and mess around with it if you're so inclined. More on reddit.com
🌐 r/learnprogramming
6
1
June 14, 2017
Format string attack

As you found, %x will pop bytes off the call stack. %08x will print 4 bytes and you can enter multiples of these to walk up the stack.

You now have addresses on the stack and you can print the contents of that memory with %s.

By chance have you tried %n? It should cause a write.

Check this paper for more info https://cs155.stanford.edu/papers/formatstring-1.2.pdf

More on reddit.com
🌐 r/HowToHack
1
7
January 30, 2022
🌐
Wallarm
wallarm.com › what › format-string-vulnerability
✋Format String Vulnerability - Types, Examples, Prevention
June 26, 2025 - Dynamic addresses are not easy to manipulate. Hence, the odds of string-related attacks are low. Never ignoring compiler warning is also a great format string attack prevention technique to try on.
🌐
Medium
medium.com › @jhjaksimsam2 › what-is-format-string-attack-how-to-prevent-this-attack-59b480ce9989
What is Format String attack? How to prevent this attack. | by JDK | Medium
June 21, 2019 - Steadily to the patch system. The kernel development and security settings are more about SetUID and complement these vulnerabilities · Normal use of the printf function like below does not cause any problems. ... A format string attack vulnerability that should not be used in response to a format string attack is as follows:
Top answer
1 of 2
4

A format string attack, at its simplest, is this:

char buffer[128];
gets(buffer);
printf(buffer);

There's a buffer overflow vulnerability in there as well, but the point is this: you're passing untrusted data (from the user) to printf (or one of its cousins) that uses that argument as a format string.

That is: if the user types in "%s", you've got an information-disclosure vulnerability, because printf will treat the user input as a format string, and will attempt to print the next thing on the stack as a string. It's as if your code said printf("%s");. Since you didn't pass any other arguments to printf, it'll display something arbitrary.

If the user types in "%n", you've got a potential elevation of privilege attack (at least a denial of service attack), because the %n format string causes printf to write the number of characters printed so far to the next location on the stack. Since you didn't give it a place to put this value, it'll write to somewhere arbitrary.

This is all bad, and is one reason why you should be extremely careful when using printf and cousins.

What you should do is this:

printf("%s", buffer);

This means that the user's input is never treated as a format string, so you're safe from that particular attack vector.

In Visual C++, you can use the __Format_string annotation to tell it to validate the arguments to printf. %n is disallowed by default. In GCC, you can use __attribute__(__printf__) for the same thing.

2 of 2
2

In this pseudo code the user enters some characters to be printed, like "hello"

string s=getUserInput();
write(s)

That works as intended. But since the write can format strings, for example

int i=getUnits();
write("%02d units",i);

outputs: "03 units". What about if the user in the first place wrote "%02d"... since there is no parameters on the stack, something else will be fetched. What that is, and if that is a problem or not depends on the program.

An easy fix is to tell the program to output a string:

write("%s",s);

or use another method that don't try to format the string:

output(s);

a link to wikipedia with more info.

🌐
University of Washington
homes.cs.washington.edu › ~djg › papers › format_string.pdf pdf
Preventing Format-String Attacks via Automatic and Efficient Dynamic Checking
In this test, the format string contains two format ... Section 4.2 presents our run-time performance overhead. In both sections, we compare our results with Format- Guard [6]. FormatGuard is similar to our approach in that · it combines compile-time source transformations with run- time checks (see Section 5.1 for more details). It has proven · effective at preventing many format-string vulnerabilities.
🌐
GeeksforGeeks
geeksforgeeks.org › c language › format-string-vulnerability-and-prevention-with-example
Format String Vulnerability and Prevention with Example - GeeksforGeeks
March 7, 2024 - There are several format strings ... but our focus is on C. Format string vulnerabilities are a class of bug that take advantage of an easily avoidable programmer error. If the programmer passes an attacker-controlled buffer as an argument to a printf (or any of the related ...
Find elsewhere
🌐
Invicti
invicti.com › web-application-vulnerabilities › uncontrolled-format-string
Uncontrolled format string - Web Application Vulnerabilities | Invicti
// Instead of sprintf with user ... sizeof(buffer), user_input); // Windows strlcpy(buffer, user_input, sizeof(buffer)); // BSD/macOS 4. Enable compiler warnings and protections: Use compiler flags like -Wformat -Wformat-security (GCC/Clang) to detect format string issues at compile ...
🌐
Comparitech
comparitech.com › home › blog › information security › format string attacks
What are format string attacks? (+ how to prevent them)
September 28, 2023 - So that was an overview of format string vulnerabilities and attacks. The attacks can be nasty, but thankfully, they’re not that hard to prevent.
🌐
Springer
link.springer.com › home › information security › conference paper
Transparent Run-Time Prevention of Format-String Attacks Via Dynamic Taint and Flexible Validation | Springer Nature Link
By leveraging library interposition and ELF binary analysis, we taint all the untrusted user-supplied data as well as their propagations during program execution, and add a security validation layer to the printf-family functions in C Standard Library in order to enforce a flexible policy to detect the format string attack on the basis of whether the format string has been tainted and contains dangerous format specifiers.
🌐
Security Boulevard
securityboulevard.com › home › security bloggers network › how to mitigate format string vulnerabilities
How to mitigate Format String Vulnerabilities - Security Boulevard
September 29, 2020 - Writing secure code is the best way to prevent Format String vulnerabilities since the root cause of Format String vulnerabilities is insecure coding. When programs are written in languages that are susceptible to Format String vulnerabilities, ...
🌐
Twingate
twingate.com › home › blog › what is a format string attack? how it works & examples
What is a Format String Attack? How It Works & Examples | Twingate
August 7, 2024 - Protecting against format string attacks requires a multi-faceted approach. Here are some key strategies: Validate Input: Always validate and sanitize user inputs to ensure they do not contain malicious format specifiers.
🌐
Startupdefense
startupdefense.io › cyberattacks › format-string-attack
Format String Attack: Risks, Prevention, and Security
Understand Format String Attack: key risks, attack patterns, detection ideas, and prevention steps for stronger cybersecurity defense.
🌐
OWASP Foundation
owasp.org › www-community › attacks › Format_string_attack
Format string attack | OWASP Foundation
In this case, if a Format String parameter, like %x, is inserted into the posted data, the string is parsed by the Format Function, and the conversion specified in the parameters is executed. However, the Format Function is expecting more arguments as input, and if these arguments are not supplied, the function could read or write the stack. In this way, it is possible to define a well-crafted input that could change the behavior of the format function, permitting the attacker to cause denial of service or to execute arbitrary commands.
🌐
Springer
link.springer.com › home › computational intelligence and security › conference paper
Protection Against Format String Attacks by Binary Rewriting | SpringerLink
We propose a binary rewriting system called Kimchi that modifies binary programs to protect them from format string attacks in runtime. Kimchi replaces the machine code calling conventional printf with code calling a safer version of printf, safe_printf, that prevents its format string from accessing arguments exceeding the stack frame of the parent function.
🌐
ReasonLabs
cyberpedia.reasonlabs.com › EN › format string attack.html
What is Format String Attack? The Dangers of String Formatting Vulnerabilities
One way to minimize the risk of a format string attack is to make sure that all program components handle format strings and other user inputs with caution. This means that user input should not find its way into the program's output without first undergoing thorough sanitization.
🌐
Guardrails
docs.guardrails.io › vulnerability classes › processing of data › format string
Format String | GuardRails
Denial of service: An attacker can use a format string vulnerability to cause the program to crash or enter an infinite loop, resulting in a denial of service (DoS) attack. To prevent format string vulnerabilities, developers can implement several strategies, including:
🌐
IEEE Xplore
ieeexplore.ieee.org › document › 4413006
Automated Format String Attack Prevention for Win32/X86 Binaries | IEEE Conference Publication | IEEE Xplore
Lisbon casts the format string attack prevention problem as an input argument list bound checking problem. To reduce the run-time checking overhead, Lisbon exploits the debug register hardware, which is available in most mainstream CPUs including Intel's X86 architecture, to detect if a callee ...