CAPEC-135 - Format String Injection

An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 2
  • Penetration
  • Exploitation
  • Sec Principles 2
  • Reluctance to Trust
  • Defense in Depth
  • Scopes 9
  • Modify memory
  • Integrity
  • Read memory
  • Confidentiality
  • Modify files or directories
  • Integrity
  • Read files or directories
  • Confidentiality
  • Modify application data
  • Integrity
  • Read application data
  • Confidentiality
  • Gain privileges / assume identity
  • Execute unauthorized code or commands
  • Bypass protection mechanism

High level: In order to discover format string vulnerabilities it takes only low skill, however, converting this discovery into a working exploit requires advanced knowledge on the part of the attacker.

The target application must accept a strings as user input, fail to sanitize string formatting characters in the user input, and process this string using functions that interpret string formatting characters.

No special resources are required beyond the ability to provide string input to the target.

Never Use Input as Part of a Directive to any Internal Component

Use Authorization Mechanisms Correctly

Step 1 - Survey application

The attacker takes an inventory of the entry points of the application..

Tecnique ID: 1 - Environment(s) env-Web

Spider web sites for all available links

Tecnique ID: 2 - Environment(s) env-All

List parameters, external variables, configuration files variables, etc. that are possibly used by the application.

Outcome ID: 1

Type: Success

At least one data input to application identified.

Outcome ID: 2

Type: Inconclusive

No inputs to application identified. Note that just because no inputs are identified does not mean that the application will not accept any.



Step 1 - Determine user-controllable input susceptible to format string injection

Determine the user-controllable input susceptible to format string injection. For each user-controllable input that the attacker suspects is vulnerable to format string injection, attempt to inject formatting characters such as %n, %s, etc.. The goal is to manipulate the string creation using these formatting characters..

Tecnique ID: 1 - Environment(s) env-Web

Inject probe payload which contains formatting characters (%s, %d, %n, etc.) through input parameters.

Indicator ID: 1 - Environment(s) env-Web env-Peer2Peer env-CommProtocol env-ClientServer

Type: Negative

Attacker receives normal response from server.

Indicator ID: 2 - Environment(s) env-Web env-Peer2Peer env-CommProtocol env-ClientServer

Type: Positive

Attacker receives an abnormal message (let's say with a partial dump of the memory) from the application which indicates that the format string was successfully manipulated.


Security Control ID: 1

Type: Detective

Search for and report format string injection indicators such as the use of %s, %n, %d, etc. in submitted user input

Security Control ID: 2

Type: Preventative

Refrain from using format strings when not necessary, for example fprintf(str) can be replaced by fputs(str), etc.


Outcome ID: 1

Type: Success

At least one user-controllable input susceptible to injection found.

Outcome ID: 2

Type: Failure

No user-controllable input susceptible to injection found.



Step 1 - Try to exploit the Format String Injection vulnerability

After determining that a given input is vulnerable to format string injection, hypothesize what the underlying usage looks like and the associated constraints..

Tecnique ID: 1 - Environment(s) env-Web

Insert various formatting characters to read or write the memory, e.g. overwrite return address, etc.

Indicator ID: 1 - Environment(s) env-Web env-Peer2Peer env-CommProtocol env-ClientServer

Type: Positive

Probing via format character injection was successful in identifying vulnerable input.

Indicator ID: 2 - Environment(s) env-Web env-Peer2Peer env-CommProtocol env-ClientServer

Type: Negative

Probing via format character injection failed in identifying vulnerable input.


Outcome ID: 1

Type: Success

Attacker achieves goal of reading or writing the memory, manipulating the formatting string

Outcome ID: 2

Type: Inconclusive

Attacker unable to exploit the format string injection vulnerability



User-controllable input shall not be used directly inside a formatting string function e.g., fprintf(user_controllable). Special formatting characters in user-controllable input must be escaped before use by the application in a formatting string function.

Ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings.

Limit the usage of formatting string functions.

Strong input validation - All user-controllable input must be validated and filtered for illegal formatting characters.