Formatting string attacks

Source: Internet
Author: User

what is a formatted string attack?

Format string attack

Https://www.owasp.org/index.php/Format_string_attack

First the attack takes place in the function involved in formatting the string (for example, printf), followed by the user input string after it is committed as a formatted string parameter.

Attackers can execute code, read stack space, write stack space, cause a segment error (segment fault), or cause other threats to computer security and stability of new behavior.

Example Child

The correct example, where "Bob%%x%%x" is the legal input.

#include <stdio.h>#include<string.h>#include<stdio.h>#include<stdlib.h>#include<string.h>#definesnprintf _snprintfintMain (intargcChar**argv) {    CharBUF [ -]; intx =1; //snprintf (buf, sizeof buf, "Bob%x%x");// Badsnprintf (BUF,sizeofBuf"Bob%%x%%x") ;//GoodBUF [sizeofBUF-1] =0; printf ("buf =%s\n", BUF); printf ("Buffer size is: (%d) \ndata input:%s \ n", strlen (BUF), buf); printf ("X equals:%d/in hex:% #x \nmemory address for X: (%p) \ n", x, X, &x); return 0 ;}

Output

------Split Line------

The evil example of entering "Bob%x%x" is illegal and will cause the snprintf function to continue reading the stack data

#include <stdio.h>#include<string.h>#include<stdio.h>#include<stdlib.h>#include<string.h>#definesnprintf _snprintfintMain (intargcChar**argv) {    CharBUF [ -]; intx =1; snprintf (BUF,sizeofBuf"Bob%x %x") ;// Bad//snprintf (buf, sizeof buf, "Bob%%x%%x");//GoodBUF [sizeofBUF-1] =0; printf ("buf =%s\n", BUF); printf ("Buffer size is: (%d) \ndata input:%s \ n", strlen (BUF), buf); printf ("X equals:%d/in hex:% #x \nmemory address for X: (%p) \ n", x, X, &x); return 0 ;}

Output:

anti-formatting string attack

1, for the client submitted, the format of the string filter, the% Delete, destroy the format of the string form. The disadvantage is to change the client's commit data integrity. However, this data can be guaranteed, regardless of whether the output is in a format function or a non-formatter function.

2, for the client submitted over, the format of the string to escape, to all the% character, preceded by a%, you can maintain the data integrity of the client submission. But for this type of input, in the non-formatted function, there will be more%.

as
Parameters Output Passed
%% % character (literal) Reference
%p External representation of a pointer to void Reference
%d Decimal Value
%c Character
%u Unsigned Decimal Value
%x Hexadecimal Value
%s String Reference
%n Writes the number of characters into a pointer Reference

3, prevention means, for the format of the function of the string, in the encoding, need 100% note Do not use the client input string as a formatted string, more strict wording, only the constant string as a formatted string, the format will be required to write dead in the program!!

Appendix formatting strings involved in functions

Fprint Writes the printf to a file
Printf Output a formatted string
sprintf Prints into a string
snprintf Prints into a string checking the length
vfprintf Prints the A VA_ARG structure to a file
vprintf Prints the VA_ARG structure to stdout
vsprintf Prints the va_arg to a string
vsnprintf Prints the va_arg to a string checking the length

Formatting string attacks

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.