Format string vulnerabilities arise when user-controllable input is passed as the format string parameter to a function that takes format specifiers that may be misused, as in the printf family of functions in C. These functions take a variable number of parameters, which may consist of different data types such as numbers and strings. The format string passed to the function contains specifiers, which tell it what kind of data is contained in the variable parameters, and in what format it should be rendered.
For example, the following code outputs a message containing the value of the count variable, rendered as a decimal:
printf(“The value of count is %d”, count.);
The most dangerous format specifier is %n. This does not cause any data to be printed. Rather, it causes the number of bytes output so far to be written to the address of the pointer passed in as the associated variable parameter. For example:
int count = 43; int written = 0; printf(“The value of count is %d%n.\n”, count, &written.); printf(“%d bytes were printed.\n”, written);
outputs the following:
The value of count is 43. 24 bytes were printed.
If the format string contains more specifiers than the number of variable parameters passed, the function has no way of detecting this, so it simply continues processing parameters from the call stack.
If an attacker controls all or part of the format string passed to a printf-style function, he can usually exploit this to overwrite critical ...