Dark Mode
Capec-67 Detail
String Format Overflow in syslog()
Detailed Software Software Likelihood: High Typical Severity: Very High
Parents: 100 135
Threats: T62
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-67 | capec | https://capec.mitre.org/data/definitions/67.html | |
| CWE-120 | cwe | http://cwe.mitre.org/data/definitions/120.html | |
| CWE-134 | cwe | http://cwe.mitre.org/data/definitions/134.html | |
| CWE-74 | cwe | http://cwe.mitre.org/data/definitions/74.html | |
| CWE-20 | cwe | http://cwe.mitre.org/data/definitions/20.html | |
| CWE-680 | cwe | http://cwe.mitre.org/data/definitions/680.html | |
| CWE-697 | cwe | http://cwe.mitre.org/data/definitions/697.html | |
| 06 | WASC | http://projects.webappsec.org/Format-String | Format String |
| REF-1 | reference_from_CAPEC | G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley | |
| REF-503 | reference_from_CAPEC | http://doc.bughunter.net/format-string/exploit-fs.html | scut, team teso, Exploiting Format String Vulnerabilities |
| REF-504 | reference_from_CAPEC | http://www.blackhat.com/presentations/bh-europe-00/HalvarFlake/HalvarFlake.ppt | Halvar Flake, Auditing binaries for security vulnerabilities |
| REF-505 | reference_from_CAPEC | https://vulncat.hpefod.com/en | Fortify Taxonomy of Vulnerabilities, Fortify Software |
| REF-506 | reference_from_CAPEC | http://www.rt.com/man/syslog.3.html | Syslog man page |
Explore
-
Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. In this attack, adversaries look for applications that use syslog() incorrectly.
Experiment
-
Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer. For each user-controllable input that the adversary suspects is vulnerable to format string injection, attempt to inject formatting characters such as %n, %s, etc.. The goal is to manipulate the string creation using these formatting characters.
-
Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.
| Techniques |
|---|
| Inject probe payload which contains formatting characters (%s, %d, %n, etc.) through input parameters. |
| Techniques |
|---|
| The formatting characters %s and %d are useful for observing memory and trying to print memory addresses. If an adversary has access to the log being written to they can observer this output and use it to help craft their attack. |
| The formatting character %n is useful for adding extra data onto the buffer. |
Exploit
-
Overflow the buffer: Using the injection vector, the adversary supplies the program with the crafted format string injection, causing a buffer.
- The Syslog function is used without specifying a format string argument, allowing user input to be placed direct into the function call as a format string.
Not present
Not present
| Integrity | Availability | Authorization | Access Control | Confidentiality |
|---|---|---|---|---|
| Execute Unauthorized Commands (Run Arbitrary Code) | Execute Unauthorized Commands (Run Arbitrary Code) | Gain Privileges | Gain Privileges | Execute Unauthorized Commands (Run Arbitrary Code) |
| Modify Data | Unreliable Execution | Gain Privileges |
- Format string vulnerability in TraceEvent function for ntop before 2.1 allows remote adversaries to execute arbitrary code by causing format strings to be injected into calls to the syslog function, via (1) an HTTP GET request, (2) a user name in HTTP authentication, or (3) a password in HTTP authentication. See also: CVE-2002-0412