Solved

Format String Vulnerabilities

Posted on 2008-10-11
7
291 Views
Last Modified: 2012-05-05
Hello to everyone!

After reading a paper called "Exploiting Format String Vulnerabilities" (page 14) for a class project I have, it seems to me that the following piece of code should work:

char h[] = "test";
char t[] = "\x67\xfa\xff\xbf_%08x.%08x.%08x.%08x.%08x.%n";
char buf[400];

snprintf(buf, sizeof t, t);

The address of h is 0xbffffa67. The paper clearly states that the provided argument to snprintf should allow me to store an integer into h. When the snprintf tries to execute though it produces a segmentation fault. Can someone please point me to the right direction? What am I doing wrong here?

Also on a related note. I am no expert but I have a fairly good understanding of how the stack works. Still though, can somone explain to me what should happen when snprint is called? I feel confused as to how exactly '%08x' works, where and how things are stored on the stack on this call, and how exactly we manage to move the internal stack pointer of printf to our stored address.
0
Comment
Question by:epitsi
  • 5
  • 2
7 Comments
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694460
>> When the snprintf tries to execute though it produces a segmentation fault.

You are providing a format string (t) with several placeholders (%08x etc.) - for each of these, you have to provide an actual value (of the right type) that needs to be put there.

Note also that the second parameter of snprintf should be the size of the buffer (400), not the size of the format string.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694470
So, a valid call to snprintf would be :

        unsigned int value;
        int cnt = 0;
        snprintf(buf, 400, t, value, value, value, value, value, &cnt);

which is the same as :

        snprintf(buf, 400, "\x67\xfa\xff\xbf_%08x.%08x.%08x.%08x.%08x.%n", value, value, value, value, value, &cnt);
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22694500
>> can somone explain to me what should happen when snprint is called?

It is a safe version of sprintf in that it has an extra parameter (the second) that specifies the maximum number of characters that snprintf will write into the provided buffer. It avoids a buffer overflow, assuming that you provided the correct value.

More info :

        http://linux.die.net/man/3/snprintf
        http://www.cplusplus.com/reference/clibrary/cstdio/sprintf.html


>> I feel confused as to how exactly '%08x' works

%08x is a format that says that it should be replaced by an integer value in hexadecimal notation (x), and it should be shown with a width of at least 8 characters (8), prepended by 0's if needed (0).


>> where and how things are stored on the stack on this call

Just like any normal function call, the arguments are (might be) stored on the stack (depending on the call convention and/or optimizations in effect).


>> and how exactly we manage to move the internal stack pointer of printf to our stored address.

Not sure what you mean by that ...
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:epitsi
ID: 22694556
Thanks for the quick reply. I can understand that what you said is considered the "legitimate" use of snprintf. Let's suppose though that we have the following code:

char buffer[512];
snprintf (buffer, sizeof (buffer), user);

What I want to know is what should I give to "user", in order to cause the function to write data to an arbitrary memory location of my choosing. Obviously this is not the intended use of snprintf but I know it can be done:

http://doc.bughunter.net/format-string/exploit-fs.html
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 250 total points
ID: 22694589
I'll try to be a bit more clear ;)

When snprintf is called, it expects to find those extra arguments on the stack. Calling snprintf correctly would place those extra arguments (the ones after the format string) on the stack one by one (let's assume that arguments are passed on the stack and no optimization is in effect). If however these arguments are not passed, the format string will direct snprintf to look for them anyway in the location where it expects them, ie. right after the pointer to the format string.

Now, since these values are not actually there, it will read whatever is in that location on the stack, and interpret it as if it were a correctly passed argument.

Does that make sense so far ?

Now :

>> What I want to know is what should I give to "user", in order to cause the function to write data to an arbitrary memory location of my choosing.

As in your original format string, there is a format %n which does something different from the others. Instead of being replaced by one of the extra arguments, it'll write a value TO the given address (which was not actually given as you'll remember - so it'll write to the address that it happens to find in the expected location on the stack).
The value it'll write there is the amount of characters written so far.

For more information on the %n format, check the reference page I posted earlier.
0
 

Author Comment

by:epitsi
ID: 22695425
<quote>When snprintf is called, it expects to find those extra arguments on the stack. Calling snprintf correctly would place those extra arguments (the ones after the format string) on the stack one by one (let's assume that arguments are passed on the stack and no optimization is in effect). If however these arguments are not passed, the format string will direct snprintf to look for them anyway in the location where it expects them, ie. right after the pointer to the format string.</quote>

Thanks for your help! For some reason I couldn't really understand what was happening on the stack with this, but the above quote made the trick!
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22695439
Do not hesitate to ask if something is still unclear.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Read about achieving the basic levels of HRIS security in the workplace.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
The goal of this video is to provide viewers with basic examples to understand opening and writing to files in the C programming language.
The goal of this video is to provide viewers with basic examples to understand how to create, access, and change arrays in the C programming language.

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now