Buffer Overflow

Format String Attacks

Key Takeaway

NEVER use printf directly with user input as the format string. ALWAYS sanitize user inputs to prevent format string attacks and other injection vulnerabilities.

Summary: Format String Attacks

Overview

• Format String Vulnerability:
  • Occurs when user input is used directly as a format string in printf or similar functions.
  • Allows attackers to manipulate the format string, potentially leading to data leaks or code execution.

Example of Vulnerable Code

• Bad Code:

  char *input = readAString();
  printf(input);  // Vulnerable to format string attacks
  
  

  • If the user inputs a string with % signs, printf will attempt to use them as format specifiers, causing unintended behavior.

Consequences of Vulnerable Code

• Information Disclosure:
  • Attackers can use format specifiers like %d or %s to read memory contents.
• Memory Modification:
  • The %n format specifier writes the number of characters printed so far to a specified memory location, allowing attackers to modify memory.

Safe Usage

• Correct Code:

  char *input = readAString();
  printf("%s", input);  // Safe usage
  

  • Always use %s to print user input to avoid interpreting it as a format string.

Example of Correct Usage with Conditional Format

• Safe Conditional Format String:

  const char *fmt = "%d\\\\n";
  if (printInHex) {
    fmt = "%x\\\\n";
  }
  printf(fmt, someNumber);
  

  • Ensures the format string is controlled and not influenced by user input.

Input Sanitization

• Importance:
  • Always sanitize inputs that are used in contexts where special characters have meaning (e.g., command shells, databases).
• Examples:

  • Command Injection:

    // Dangerous: if strFromUser contains backticks, it can execute commands
    char command[256];
    snprintf(command, sizeof(command), "someCommand %s", strFromUser);
    system(command);
    

  • SQL Injection:

    // Vulnerable: user input can terminate the current SQL statement and inject new ones
    char query[256];
    snprintf(query, sizeof(query), "SELECT * from Users WHERE name='%s'", strFromUser);
    executeSQL(query);