Dark Mode

Settings

Capec-135 Detail

Format String Injection

Standard Software Likelihood: High Typical Severity: High

Parents: 137

Children: 67

Description

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

Not present

External ID Source Link Description
CAPEC-135 capec https://capec.mitre.org/data/definitions/135.html
CWE-134 cwe http://cwe.mitre.org/data/definitions/134.html
CWE-20 cwe http://cwe.mitre.org/data/definitions/20.html
CWE-74 cwe http://cwe.mitre.org/data/definitions/74.html
OWASP Attacks https://owasp.org/www-community/attacks/Format_string_attack Format string attack
REF-14 reference_from_CAPEC https://www.securecoding.cert.org/confluence/display/seccode/FIO30-C.+Exclude+user+input+from+format+strings Hal Burch, Brendan Saulsbury, FIO30-C. Exclude user input from format strings, 2011--05, CERT
REF-15 reference_from_CAPEC http://projects.webappsec.org/Format-String Robert Auger, WASC Threat Classification 2.0, The Web Application Security Consortium (WASC)
REF-616 reference_from_CAPEC https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Format_String_Injection.html OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)
Explore

  1. Survey application: The adversary takes an inventory of the entry points of the application.

    2. Techniques
    Spider web sites for all available links
    List parameters, external variables, configuration files variables, etc. that are possibly used by the application.
Experiment

  1. Determine user-controllable input susceptible to format string injection: Determine the user-controllable input susceptible to format string injection. For each user-controllable input that the adversary suspects is vulnerable to format string injection, attempt to inject formatting characters such as %n, %s, etc.. The goal is to manipulate the string creation using these formatting characters.

    2. Techniques
    Inject probe payload which contains formatting characters (%s, %d, %n, etc.) through input parameters.
Exploit

  1. Try to exploit the Format String Injection vulnerability: After determining that a given input is vulnerable to format string injection, hypothesize what the underlying usage looks like and the associated constraints.

    2. Techniques
    Insert various formatting characters to read or write the memory, e.g. overwrite return address, etc.
  1. The target application must accept a strings as user input, fail to sanitize string formatting characters in the user input, and process this string using functions that interpret string formatting characters.
  1. None: No specialized resources are required to execute this type of attack.
High
In order to discover format string vulnerabilities it takes only low skill, however, converting this discovery into a working exploit requires advanced knowledge on the part of the adversary.
Integrity Access Control Confidentiality
Modify Data Bypass Protection Mechanism Read Data
Execute Unauthorized Commands (Run Arbitrary Code)
  1. Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks. See also: CVE-2007-2027

We use cookies to ensure you get the best experience on our website.