Uncontrolled format string

Description
  • This web application/server uses externally-controlled format strings in printf-style functions, which can lead to buffer overflows or data representation problems. Format string attacks alter the flow of an application by using string formatting library features to access other memory space. Vulnerabilities occur when user-supplied data are used directly as formatting string input for certain C/C++ functions (e.g. fprintf, printf, sprintf, setproctitle, syslog, ...). If an attacker passes a format string consisting of printf conversion characters (e.g. "%f", "%p", "%n", etc.) as a parameter value to the web application, they may: <br/> <ul> <li>Execute arbitrary code on the server</li> <li>Read values off the stack</li> <li>Cause segmentation faults/software crashes</li> </ul>
Remediation
  • Ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings.
References