Format String Vulnerabilities

Hal Burch and Robert C. Seacord explain programming language format string vulnerabilities. They also illustrate that, as is the usual misconception, C and C++ are not the only ones vulnerable to the exploits. The vulnerability usually arises from directly including user input in the format string.

Programming languages provide various format functions so that a string can be formatted, e.g., printf(). The arguments to these functions usually include, the way the string should be formatted, called the format string, and the values that should be used to format it. If the programmer is unaware that a certain function takes a format string, he/she can end up passing user values instead of the format string in that argument. The paper Exploiting Formating String Vulnerabilities (pdf) can provide details about the various possible ways attacks can be carried out.

The technique is conceptually very obviously similar to other injection techniques, like SQL Injection, where the user can provide (inject) malicious input which is not correctly handled by the programs. Knowledge of these injection techniques can be used to build tools which automatically detect such vulnerabilities, or at least build policies that find themselves in coding conventions.

Say your thought!

If you want to use HTML you can use these tags: <a>, <em>, <strong>, <abbr>, <code>, <blockquote>. Closing the tags will be appreciated as this site uses valid XHTML.



Abhijit Nadgouda
iface Consulting
+91 9819820312
My bookmarks


This is the weblog of Abhijit Nadgouda where he writes down his thoughts on software development and related topics. You are invited to subscribe to the feed to stay updated or check out more subscription options. Or you can choose to browse by one of the topics.