Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why is printf(inputString) a security hole?

Tags:

c++

c

pointers

printf

I was reading an answer on Quora where I encountered that something as simple as:

char* inputString;
printf(inputString);

is a security hole.

I assume that the inputString is not simply uninitialized, but initialized with some external input between the two statements.

How exactly is this a security hole?

The original answer on Quora was here:

If C and C++ give the best performance, why do we still code in other languages?

but it provides no additional context for this claim.

like image 224
Vishwas Avatar asked Mar 30 '26 16:03

Vishwas

2 Answers

I assume that the input string is a string you got from the user, and not just an uninitialized value.

The problem is that the user can

  • crash the program: printf ("%s%s%s%s%s%s%s%s%s%s%s%s")
  • view the stack: printf ("%08x %08x %08x %08x %08x\n");
  • view memory on any location,
  • or even write an integer to nearly any location in the process memory.

This leads to an attacker being able to:

  • Overwrite important program flags that control access privileges
  • Overwrite return addresses on the stack, function pointers, etc

It is all explained quite well here.

like image 180
Jan Rüegg Avatar answered Apr 02 '26 05:04

Jan Rüegg

It's not just a security problem, but it won't work at all, because the pointer is not initialized. In this context, making the program crash = not running anymore could be a (security) problem, depending what the program does and in what context it runs.

I assume you mean you have a proper string. In this case, if the string is provided by some external input (user etc.), there can be (unexpected) placeholders like %s etc. while the rest of the printf expects eg. a %d. For this example (%s instead of %d), instead of printing an integer number, it will start printing all memory content until some 0 byte then, possibly giving out some secret information stored after the int bytes.

Something similar, ie. giving out too much bytes because of wrong unchecked user input, happened eg. in the known "Heartbleed" bug not too long ago, which was/is a pretty big global problem. ... The first printf parameter should be fixed, not coming from any variable.

Other placeholder combinations are possible too, leading to a wide range of possible effects (including generation of wrong floating point signals in the CPU, which could lead to more serious problems depending on the architecture, etc.etc.)

like image 20
deviantfan Avatar answered Apr 02 '26 06:04

deviantfan
Sign in to Comment

Related questions

libc++abi.dylib: terminating with uncaught exception of type std::__1::system_error: mutex lock failed: Invalid argument
How to retrieve files digital signature information?
How to pass and share shared_ptr ownership with a better performance? [duplicate]
Resolution of built-in operator == overloads
Does GCC support C++23 std::print?
Integer parameter calls float overload and float parameter calls integer overload [duplicate]
Low Level Hook / SetWindowsHookEx lParam Auto-Repeat?
real time vs. cpu time performance measure
How to set thread priority pthreads on Mac OS
Unpacking parameter packs multiple times
WinApi: Cant read registry
Variable no need to be declared in lambda function? [duplicate]
"Delete" vs. "Remove"
Catching an exception class within a template

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!