what is a formatted string attack?
Format string attack
Https://www.owasp.org/index.php/Format_string_attack
First the attack takes place in the function involved in formatting the string (for example, printf), followed by the user input string after it is committed as a formatted string parameter.
Attackers can execute code, read stack space, write stack space, cause a segment error (segment fault), or cause other threats to computer security and stability of new behavior.
Example Child
The correct example, where "Bob%%x%%x" is the legal input.
#include <stdio.h>#include<string.h>#include<stdio.h>#include<stdlib.h>#include<string.h>#definesnprintf _snprintfintMain (intargcChar**argv) { CharBUF [ -]; intx =1; //snprintf (buf, sizeof buf, "Bob%x%x");// Badsnprintf (BUF,sizeofBuf"Bob%%x%%x") ;//GoodBUF [sizeofBUF-1] =0; printf ("buf =%s\n", BUF); printf ("Buffer size is: (%d) \ndata input:%s \ n", strlen (BUF), buf); printf ("X equals:%d/in hex:% #x \nmemory address for X: (%p) \ n", x, X, &x); return 0 ;}
Output
------Split Line------
The evil example of entering "Bob%x%x" is illegal and will cause the snprintf function to continue reading the stack data
#include <stdio.h>#include<string.h>#include<stdio.h>#include<stdlib.h>#include<string.h>#definesnprintf _snprintfintMain (intargcChar**argv) { CharBUF [ -]; intx =1; snprintf (BUF,sizeofBuf"Bob%x %x") ;// Bad//snprintf (buf, sizeof buf, "Bob%%x%%x");//GoodBUF [sizeofBUF-1] =0; printf ("buf =%s\n", BUF); printf ("Buffer size is: (%d) \ndata input:%s \ n", strlen (BUF), buf); printf ("X equals:%d/in hex:% #x \nmemory address for X: (%p) \ n", x, X, &x); return 0 ;}
Output:
anti-formatting string attack
1, for the client submitted, the format of the string filter, the% Delete, destroy the format of the string form. The disadvantage is to change the client's commit data integrity. However, this data can be guaranteed, regardless of whether the output is in a format function or a non-formatter function.
2, for the client submitted over, the format of the string to escape, to all the% character, preceded by a%, you can maintain the data integrity of the client submission. But for this type of input, in the non-formatted function, there will be more%.
Parameters |
Output |
Passed | as
%% |
% character (literal) |
Reference |
%p |
External representation of a pointer to void |
Reference |
%d |
Decimal |
Value |
%c |
Character |
|
%u |
Unsigned Decimal |
Value |
%x |
Hexadecimal |
Value |
%s |
String |
Reference |
%n |
Writes the number of characters into a pointer |
Reference |
3, prevention means, for the format of the function of the string, in the encoding, need 100% note Do not use the client input string as a formatted string, more strict wording, only the constant string as a formatted string, the format will be required to write dead in the program!!
Appendix formatting strings involved in functions
Fprint |
Writes the printf to a file |
Printf |
Output a formatted string |
sprintf |
Prints into a string |
snprintf |
Prints into a string checking the length |
vfprintf |
Prints the A VA_ARG structure to a file |
vprintf |
Prints the VA_ARG structure to stdout |
vsprintf |
Prints the va_arg to a string |
vsnprintf |
Prints the va_arg to a string checking the length |
Formatting string attacks