Description

This web application/server uses externally-controlled format strings in printf-style functions, which can lead to buffer overflows or data representation problems. Format string attacks alter the flow of an application by using string formatting library features to access other memory space. Vulnerabilities occur when user-supplied data are used directly as formatting string input for certain C/C++ functions (e.g. fprintf, printf, sprintf, setproctitle, syslog, ...). If an attacker passes a format string consisting of printf conversion characters (e.g. "%f", "%p", "%n", etc.) as a parameter value to the web application, they may:

  • Execute arbitrary code on the server
  • Read values off the stack
  • Cause segmentation faults/software crashes

Remediation

Ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings.

References

Format string attack

scut (TESO): Exploiting Format String Vulnerabilities

Related Vulnerabilities

PHP unserialize() used on user input

Cross-site Scripting via File Upload

Insecure usage of Version 1 UUID/GUID

Deserialization of Untrusted Data (Java JSON Deserialization) Jackson

Ruby on Rails CookieStore session cookie persistence

Severity

High

Classification

CWE-134 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Buffer Overflow