A FormatStringAttack is a common class of attack on a CeeLanguage program that uses either the stdio functionality of the the ANSI C library (most commonly) or another system with similar functionality. The attack consists of providing a hostile format string which is then processed by the "printf engine", and which instructs said engine to do nasty things. Many recent Unix exploits are based on FormatStringAttacks; some Windows exploits may use them as well.
Consider the following innocuous-looking program:
/* print arguments */ #include <stdio.h> int main (int argc, char **argv) { int i; for (i = 0; i < argc; ++i) { printf (argv[i]); printf ("\n"); } printf ("There were %d arguments\n", argc); return 0; }If you don't see the problem immediately, it probably looks okay at first glance. But if someone were to install it SUID or use it as part of a network-accessible server, their box could be attacked. The line that permits the attack to occur is this one:
printf (argv[i]);printf expects its first argument to be a format string--an entity including InBandSignal. The character % is used in printf format strings to specify output conversions. Some output conversions, however, can modify the stack; the attacker can thus cause the program to exec a shell, giving the attacker the privileges of the running process.
The problem is the in-band signal. The obvious fix is to use this instead:
printf ("%s", argv[i]);In the latter case, the only format string is "%s", which is harmless. No matter what is contained in argv[i], it will all be interpreted as text. Alternatively, one could write:
fputs(argv[i], stdout);fputs always interprets its first argument as a plain string, not as a format string, so the vulnerability does not exist when using fputs.
See also SentinelPattern / SecurityExploits