Format strings are used in many languages to specify the type of output. These types can range from strings, integers all the way up to pointers.
Although harmless when used in the intended fashion, these strings can be extremely dangerous if code is written in the unintended manner. After all it should just work shouldn’t it ;).
What the leak!
A couple of months ago when I was tackling the format exercises of protostar I came across format string vulnerabilities. The basic idea is that an attacker is able to leak information using format strings. These vulnerabilities are specific to the C language.
Let’s take a look at a normal C program.
On running this program we get our expected behavior…user gives, user gets.
Notice that this program is not vulnerable to the buffer overflow attack as it uses the
fgets() function. Now let’s take a look at the same program, but with a slight modification.
The only difference is that
abc is passed as the first parameter, which is supposed to be for the format string. Let’s take a look.
Hmmm, nothing interesting yet. Let’s go a step further and try adding format specifiers to our input…
Hey, that’s our input… basically what’s happening here is that, since we have not specified the second parameter of printf, it is using garbage as an address for the
%s, however this so called garbage is an address on the stack. And from our knowledge, the stack contains variables. So it’s printing the value of
Let’s take this a little further.
Now I know that you can easily get the creds using the “strings” command. But for sake of realism let’s assume that this binary is being served as a service on some remote server. This means that I aka the attacker does not have access to the binary, I can only interact with it.
Notice the new notation
%1$s. What this means is that print the data at position 1 in this location. Let me elaborate…
You get “1337 33” as the output and not “33 1337”.
Now for our case it’s a little painful to go on typing the numbers so lets automate it…if you don’t understand shellscript, I can’t help you, try googling and learning it first.
Make it executable and run it…
And there you have it. A format string exploit. We’ve successfully leaked memory and got the credentials.
So how do we fix it? Simple…don’t write crappy code. We all do, so here’s a little guide to helping you not write code with format string vulnerabilities.