2. → Rakesh Paruchuri (nuc13us)
Security Enthusiast→
Love playing CTFs (team bi0s)→
Intern with Amrita Center→
for Cyber Security
3. Outline:
→ Background
→ Introduction
→ Format string functions
→ Format specifiers
→ How printf works?
→ Exploiting format string
→ Format string vulnerability (vs)
Buffer overflow
4. Background
What is a vulnerability ?
Binary Exploitation ?
●
Buffer Overflow
●
Heap Overflow
●
Format string and many more..
Lets go a little deep into Format String
5. Program in execution
Executable section: TEXT
– The actual code that will be
executed
●
Initialized data: DATA
– Global variables
●
Uninitialized data: BSS
●
Local variables: Stack
8. How printf works
●
Printf can take variable number of arguments.
– printf(<format string>,......);
●
Arguments must be stored in the stack.
●
Those arguments are accused through format specifiers that
are given the format string.
●
Format string = “%d” → assumes that there is one argument
●
(“%s %d”) → two arguments
9. Format String Functions
int printf(const char *format, ...);
int fprintf(FILE *stream, const char *format, ...);
int sprintf(char *str, const char *format, ...);
int snprintf(char *str, size_t size, const char *format, …);
10. Format Specifiers
Format Specifier Description Passed as
%d decimal value
%u Unsigned decimal value
%s String reference
%x hexadecimal value
%n Write number of bytes
written so far
reference
12. What format string vulnerability can lead to?
●
View the process memory
●
Crash a program
●
Overwrite instruction pointer or process memory location with
malicious data
13. Format String Vulnerability (vs) Buffer
overflow
Buffer Overflow Format string
Discovered in 1980’s Discovered in 1999
Number of exploits are in
thousands
Number of exploits are very less
Security threat Programmers mistake
Difficult to find out Easy to find
14. Attacks on Format String:
Sudo - (privilege escalation)
Peanch - instant messaging program
CUPS- Printing system for unix
CVE-2016-4448:
Format string vulnerability in libxml2 before 2.9.4
allows attackers to have unspecified impact via
format string specifiers