Formatting string attacks

what is a formatted string attack?

Format string attack

Https://www.owasp.org/index.php/Format_string_attack

First the attack takes place in the function involved in formatting the string (for example, printf), followed by the user input string after it is committed as a formatted string parameter.

Attackers can execute code, read stack space, write stack space, cause a segment error (segment fault), or cause other threats to computer security and stability of new behavior.

Example Child

The correct example, where "Bob%%x%%x" is the legal input.

#include <stdio.h>#include<string.h>#include<stdio.h>#include<stdlib.h>#include<string.h>#definesnprintf _snprintfintMain (intargcChar**argv) {    CharBUF [ -]; intx =1; //snprintf (buf, sizeof buf, "Bob%x%x");// Badsnprintf (BUF,sizeofBuf"Bob%%x%%x") ;//GoodBUF [sizeofBUF-1] =0; printf ("buf =%s\n", BUF); printf ("Buffer size is: (%d) \ndata input:%s \ n", strlen (BUF), buf); printf ("X equals:%d/in hex:% #x \nmemory address for X: (%p) \ n", x, X, &x); return 0 ;}

Output

------Split Line------

The evil example of entering "Bob%x%x" is illegal and will cause the snprintf function to continue reading the stack data

#include <stdio.h>#include<string.h>#include<stdio.h>#include<stdlib.h>#include<string.h>#definesnprintf _snprintfintMain (intargcChar**argv) {    CharBUF [ -]; intx =1; snprintf (BUF,sizeofBuf"Bob%x %x") ;// Bad//snprintf (buf, sizeof buf, "Bob%%x%%x");//GoodBUF [sizeofBUF-1] =0; printf ("buf =%s\n", BUF); printf ("Buffer size is: (%d) \ndata input:%s \ n", strlen (BUF), buf); printf ("X equals:%d/in hex:% #x \nmemory address for X: (%p) \ n", x, X, &x); return 0 ;}

Output:

anti-formatting string attack

1, for the client submitted, the format of the string filter, the% Delete, destroy the format of the string form. The disadvantage is to change the client's commit data integrity. However, this data can be guaranteed, regardless of whether the output is in a format function or a non-formatter function.

2, for the client submitted over, the format of the string to escape, to all the% character, preceded by a%, you can maintain the data integrity of the client submission. But for this type of input, in the non-formatted function, there will be more%.

as

Parameters	Output	Passed
%%	% character (literal)	Reference
%p	External representation of a pointer to void	Reference
%d	Decimal	Value
%c	Character
%u	Unsigned Decimal	Value
%x	Hexadecimal	Value
%s	String	Reference
%n	Writes the number of characters into a pointer	Reference

3, prevention means, for the format of the function of the string, in the encoding, need 100% note Do not use the client input string as a formatted string, more strict wording, only the constant string as a formatted string, the format will be required to write dead in the program!!

Appendix formatting strings involved in functions

Fprint	Writes the printf to a file
Printf	Output a formatted string
sprintf	Prints into a string
snprintf	Prints into a string checking the length
vfprintf	Prints the A VA_ARG structure to a file
vprintf	Prints the VA_ARG structure to stdout
vsprintf	Prints the va_arg to a string
vsnprintf	Prints the va_arg to a string checking the length

Formatting string attacks