Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Format String Attack?

Tags:

c

security

printf

A recent security notice (http://osdir.com/ml/bugtraq.security/2015-04/msg00102.html) stated that this line of code:

fprintf(stderr, (isprint(adata->contents[i])) ? "%c " : "%02x", adata->contents[i]);

was subject to a "format string attack" which I understand as using something like:

fprintf(stderr, varWithUserSuppliedData);

instead of:

fprintf(stderr, "%s", varWithUserSuppliedData);

but I'm not seeing that in that first fprintf call - what am I missing?

like image 258
John Hascall Avatar asked Jul 10 '15 15:07

John Hascall

People also ask

How does format string attack work?

The attack could be executed when the application doesn't properly validate the submitted input. In this case, if a Format String parameter, like %x, is inserted into the posted data, the string is parsed by the Format Function, and the conversion specified in the parameters is executed.

What is format string problems?

Format string attacks alter the flow of an application by using string formatting library features to access other memory space. Vulnerabilities occur when user-supplied data are used directly as formatting string input for certain C/C++ functions (e.g. fprintf, printf, sprintf, setproctitle, syslog, ...).

What is format string vulnerabilities in cybersecurity?

A format string vulnerability is a bug where user input is passed as the format argument to printf , scanf , or another function in that family. The format argument has many different specifies which could allow an attacker to leak data if they control the format argument to printf .

1 Answers

Thanks to @cremno for providing a link to the GIT repository for the file in question: kssl.c (Note that this is not the repository head.)

It's clear that this report is spurious. First, there is no real problem with the fprintf call, although you can argue that code in a security-related product like OpenSSL needs to go beyond being secure to the point of being visibly secure even to a casual glance. (I'm not sure I would make that argument, but it has been made.)

But more importantly, the code in question is disabled (note the preprocessor directives surrounding it):

# if 0
{
    int i;
    fprintf(stderr, "%s[at%d:%d] ", label, adata->ad_type, adata->length);
    for (i = 0; i < adata->length; i++) {
        fprintf(stderr, (isprint(adata->contents[i])) ? "%c " : "%02x",
                        adata->contents[i]);
    }
    fprintf(stderr, "\n");
}
# endif
like image 105
rici Avatar answered Oct 03 '22 05:10

rici
Sign in to Comment

Related questions

Global register variables in gcc
Why `gcc -Q -march=corei7-avx --help=target` lies?
Design C-container with `const` elements?
Warning: Assignment from Incompatible Pointer Type [enabled by default] while assigning Function Address to Function Pointer
Array slicing in C
Easiest way to simulate the maximum CPU load?
Possible to use a 9 Pin Serial port as "GPIO" using ioctl()?
Can a modern C/C++ compiler optimize better with the code in header?
What is a narrow prototype and why would I need one?
C Pass arguments as void-pointer-list to imported function from LoadLibrary()
Execute sudo command in C with system()
Is it possible to specify a #include file path relative to the user's current directory when compiling?
Reading a matrix from a text file in c
When a process forks, would the shared library .so still in the address space? And would the constructor be executed again?
Compile a C program in Linux using shared library [duplicate]
'No Shared Cipher' Error with EDH-RSA-DES-CBC3-SHA
How do I make syscalls from my C program
trapping signals in a multithreaded environment
What is the meaning of "statically allocated"?
Redefinition of main

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!