?
Solved

Format String Vulnerabilities

Posted on 2008-10-11
7
Medium Priority
?
305 Views
Last Modified: 2012-05-05
Hello to everyone!

After reading a paper called "Exploiting Format String Vulnerabilities" (page 14) for a class project I have, it seems to me that the following piece of code should work:

char h[] = "test";
char t[] = "\x67\xfa\xff\xbf_%08x.%08x.%08x.%08x.%08x.%n";
char buf[400];

snprintf(buf, sizeof t, t);

The address of h is 0xbffffa67. The paper clearly states that the provided argument to snprintf should allow me to store an integer into h. When the snprintf tries to execute though it produces a segmentation fault. Can someone please point me to the right direction? What am I doing wrong here?

Also on a related note. I am no expert but I have a fairly good understanding of how the stack works. Still though, can somone explain to me what should happen when snprint is called? I feel confused as to how exactly '%08x' works, where and how things are stored on the stack on this call, and how exactly we manage to move the internal stack pointer of printf to our stored address.
0
Comment
Question by:epitsi
  • 5
  • 2
7 Comments
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694460
>> When the snprintf tries to execute though it produces a segmentation fault.

You are providing a format string (t) with several placeholders (%08x etc.) - for each of these, you have to provide an actual value (of the right type) that needs to be put there.

Note also that the second parameter of snprintf should be the size of the buffer (400), not the size of the format string.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694470
So, a valid call to snprintf would be :

        unsigned int value;
        int cnt = 0;
        snprintf(buf, 400, t, value, value, value, value, value, &cnt);

which is the same as :

        snprintf(buf, 400, "\x67\xfa\xff\xbf_%08x.%08x.%08x.%08x.%08x.%n", value, value, value, value, value, &cnt);
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694500
>> can somone explain to me what should happen when snprint is called?

It is a safe version of sprintf in that it has an extra parameter (the second) that specifies the maximum number of characters that snprintf will write into the provided buffer. It avoids a buffer overflow, assuming that you provided the correct value.

More info :

        http://linux.die.net/man/3/snprintf
        http://www.cplusplus.com/reference/clibrary/cstdio/sprintf.html


>> I feel confused as to how exactly '%08x' works

%08x is a format that says that it should be replaced by an integer value in hexadecimal notation (x), and it should be shown with a width of at least 8 characters (8), prepended by 0's if needed (0).


>> where and how things are stored on the stack on this call

Just like any normal function call, the arguments are (might be) stored on the stack (depending on the call convention and/or optimizations in effect).


>> and how exactly we manage to move the internal stack pointer of printf to our stored address.

Not sure what you mean by that ...
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 

Author Comment

by:epitsi
ID: 22694556
Thanks for the quick reply. I can understand that what you said is considered the "legitimate" use of snprintf. Let's suppose though that we have the following code:

char buffer[512];
snprintf (buffer, sizeof (buffer), user);

What I want to know is what should I give to "user", in order to cause the function to write data to an arbitrary memory location of my choosing. Obviously this is not the intended use of snprintf but I know it can be done:

http://doc.bughunter.net/format-string/exploit-fs.html
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 1000 total points
ID: 22694589
I'll try to be a bit more clear ;)

When snprintf is called, it expects to find those extra arguments on the stack. Calling snprintf correctly would place those extra arguments (the ones after the format string) on the stack one by one (let's assume that arguments are passed on the stack and no optimization is in effect). If however these arguments are not passed, the format string will direct snprintf to look for them anyway in the location where it expects them, ie. right after the pointer to the format string.

Now, since these values are not actually there, it will read whatever is in that location on the stack, and interpret it as if it were a correctly passed argument.

Does that make sense so far ?

Now :

>> What I want to know is what should I give to "user", in order to cause the function to write data to an arbitrary memory location of my choosing.

As in your original format string, there is a format %n which does something different from the others. Instead of being replaced by one of the extra arguments, it'll write a value TO the given address (which was not actually given as you'll remember - so it'll write to the address that it happens to find in the expected location on the stack).
The value it'll write there is the amount of characters written so far.

For more information on the %n format, check the reference page I posted earlier.
0
 

Author Comment

by:epitsi
ID: 22695425
<quote>When snprintf is called, it expects to find those extra arguments on the stack. Calling snprintf correctly would place those extra arguments (the ones after the format string) on the stack one by one (let's assume that arguments are passed on the stack and no optimization is in effect). If however these arguments are not passed, the format string will direct snprintf to look for them anyway in the location where it expects them, ie. right after the pointer to the format string.</quote>

Thanks for your help! For some reason I couldn't really understand what was happening on the stack with this, but the above quote made the trick!
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22695439
Do not hesitate to ask if something is still unclear.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
An Incident response plan is an organized approach to addressing and managing an incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
The goal of this video is to provide viewers with basic examples to understand and use pointers in the C programming language.
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use for-loops in the C programming language.

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question