SlideShare a Scribd company logo

Format String Attack

Download as PPTX, PDF
M
Mayur Mallya

The document discusses format string attacks, which exploit vulnerabilities in C functions that use unchecked user input as the format string parameter. A malicious user can use special format string tokens like %s and %x to print data from the call stack or write to arbitrary memory locations using %n. This allows attackers to execute arbitrary code, read sensitive data, or crash applications. The document provides examples of how format strings work and how buffer overflows can be caused when more data is written than the buffer can hold, overwriting adjacent memory.

Technology
1 of 16
Format String Attack ~ Mayur N Mallya
Basics  A format specifier is used to tell the compiler what type of data the program is taking as an input or output. They usually begin with ‘%’ character.  Format specifiers indicate the location and method to translate a piece of data (such as a number) to characters. Ex: %s, %d, %f, etc.  A format string refers to a control parameter used by a class of functions in the input/output libraries of C and many other programming languages. These statements contain format specifiers. Example of a statement containing format specifiers
Introduction  An uncontrolled format string is a software vulnerability discovered in the late ‘80s that can be used to crash the program or make it execute harmful code.  Attacking by exploiting an uncontrolled format string is known as a Format String Attack.  Most of these attacks are executed in ANSI C as the problem stems from the use of unchecked user input as the format string parameter in certain functions that perform formatting, such as ‘print(f)’.  A malicious user may use the %s and %x format tokens, among others, to print data from the call stack or possibly other locations in memory.  One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write the number of bytes formatted to an address stored on the stack.  In essence, the format string exploit occurs when the submitted data of an input string is compiled as a command by the application. So, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.
Components It is important to identify, locate and understand the attack. To understand the attack, it’s necessary to understand the components that constitute it.  The Format Function is an ANSI C conversion function, like printf, fprintf, which converts a primitive variable of the programming language into a human-readable string representation.  The Format String is the argument of the Format Function and is an ASCII Z string which contains text and format parameters, like: printf("The magic number is: %dn", 1911);  The Format String Parameter, like %x, %s defines the type of conversion of the format function. Some examples of Format Functions, which if not treated, can be attacked To verify if the format function accepts and parses the format string parameters.
Uncommon Formats and Format Options In order to full leverage the power of the format, we need to review the full list of formats and format options.  %n : Saving the Number of Bytes: Format printing services allows you to save the total bytes formatted into a variable. There is a decent chance you've never heard of this format, but it actually is surprisingly useful for certain tasks. For example, given a format and its arguments, it is not obvious how to determine how long the output is until it actually formatted. Here's a basic example, of using %n: %n format matches to an address, in particular an address of an integer, at which the number of bytes formatted up to that point are stored. So, for example, running this program, we get:
Note that the %n character is not actually produced in the output: it is not printable. Instead, it only has a side effect. Ok, so why does this format exist? Well, there are some really practical uses, for example, consider counting the digits of a number read in using scanf():
 Format Flag and Argument Options: Another tool of formats we will need is some of the extra options for formats to better manipulate the format output. So far you are fairly familiar with the conversion formats: •%d : signed number •%u : unsigned number •%x : hexadecimal number •%f : floating point number •%s : string conversion What you might not be aware is there is a wealth more options to change the formatting. Here's a sample program that will illuminate some of these, so called "flag" options:
* The first flag option is the "#" which is used to add prefix formatting. In the case of printing in hexadecimal it will add '0x' to the start of non-zero values. That's pretty useful. * The next option is adding a number prior to the conversion argument, as in %#50x. This conversion will right adjust the format such that the entirety of the number takes up 50 hex digits. If you were to add a leading 0 to the adjustment, as in %#050x, the format will fill those blank spaces with 0’s. * Perhaps the least familiar option you've seen is the m$ format where m is some number, allows you to refer to a specific argument being passed. In the example above, we refer to the same argument twice using two different conversion formats to follow. This is really useful to not have to pass the same argument multiple times; however, when you use the $ references, you have to do for all the format arguments. * Finally, we have the half-conversion option h which says to only convert half the typical size. In this case, since we are working with 4-byte integer values, that would mean to format a 2-byte short size value when using one h, or a single char length 1-byte value with two, hh.
 Flag Options for Strings: With strings, things are similar but a bit different. Here's some example code: * Like with numbers, we can specify a length flag to right adjust the string up to some specified size, but we can't fill in that with 0's. Instead the space is filled with spaces. * Unlike with integer numbers (but can be done with float numbers) we can also truncate the length of the format if we use the . option. The number following the . says how many bytes from the string should be used, and this can be combined with the right adjustment. And, interestingly, the right adjustment can be flipped to left adjustment with a negative sign.
Buffer overflow  In information security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program , while writing data to a buffer, it overruns the buffer's boundary and overwrites adjacent memory locations.  Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs; if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, then an anomalous transaction that produces more data could cause it to write past the end of the buffer.  If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes. Exploiting the behavior of a buffer overflow is a well-known security exploit.  Programming languages commonly associated with buffer overflows include C and C++ which provide no built-in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an array is within the boundaries of that array. Bounds checking can prevent buffer overflows, but requires additional code and processing time
Example for Buffer overflow  In the following example expressed in C, a program has two variables which are adjacent in memory: an 8- byte-long string buffer, A, and an unsigned integer, B.  Initially, A contains nothing but zero bytes, and B contains the number 1979.  Now, the program attempts to store the null-terminated string "excessive" with ASCII encoding in the A buffer.  "excessive" is 9 characters long and encodes to 10 bytes including the null terminator, but A can take only 8 bytes. By failing to check the length of the string, it also overwrites the value of B
 B's value has now been inadvertently replaced by a number formed from part of the character string. In this example "e" followed by a zero byte would become 25856.  Writing data past the end of allocated memory can sometimes be detected by the operating system to generate a segmentation fault error that terminates the process.  To prevent the buffer overflow from happening in this example, the call to strcpy could be replaced with strlcpy, which takes the maximum capacity of A (including a null-termination character) as an additional parameter and ensures that no more than this amount of data is written to A:  When available, the strlcpy library function is preferred over strncpy which does not null-terminate the destination buffer if the source string's length is greater than or equal to the size of the buffer (the third argument passed to the function), therefore A may not be null-terminated and cannot be treated as a valid C-style string.
Using formats in an exploit  Now that we've had a whirl-wind tour of formats you've never heard of nor ever really wanted to use, how can we use them in an exploit. Here's the program we are going to exploit. This is a rather contrived example of using sprintf() to do a copy. One may think because in the first sprintf() the %.400s format is used, this would not enable a overflow of buffer or outbuff. For example, this does not cause a segmentation fault: True, we can't overflow buffer, but we can overflow outbuff because buffer is treated as the format character. For example, what if the input was like: And if we look at the dmesg output: [dmesg is a command on most Unix-like operating systems that prints the message buffer of the kernel] We see that we overwrote the instruction pointer with a bunch of 0x20 bytes, or spaces! Now, the goal is to overwrite the return address with something useful, like the address of bad().
To do this, we need to do the right number of extended format to hit the return address, We can do this by first using 0xdeadbeef and checking the dmesg output: So if we use a 505 byte length %d format, the next 4-bytes we write is the return address. And adding that, we get what we want: We can also get this to execute a shell in the normal way
Preventing Format String Vulnerabilities  Always specify a format string as part of program, not as an input. Most format string vulnerabilities are solved by specifying “%s” as format string and not using the data string as format string  If possible, make the format string a constant. Extract all the variable parts as other arguments to the call. Difficult to do with some internationalization libraries  If the above two practices are not possible, use defenses such as Format_Guard . Rare at design time. Perhaps a way to keep using a legacy application and keep costs down .Increase trust that a third-party application will be safe
Thank You

Recommended

C format string vulnerability
C format string vulnerabilityC format string vulnerability
C format string vulnerability
sluge
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSSRonan Dunne, CEH, SSCP
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
Nabin Dutta
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
قصي نسور
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale
 

Recommended

C format string vulnerability
C format string vulnerabilityC format string vulnerability
C format string vulnerability
sluge
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSSRonan Dunne, CEH, SSCP
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
Nabin Dutta
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
قصي نسور
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale
 
Server Controls of ASP.Net
Server Controls of ASP.NetServer Controls of ASP.Net
Server Controls of ASP.Net
Hitesh Santani
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Php Error Handling
Php Error HandlingPhp Error Handling
Php Error Handlingmussawir20
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Evgeni Tsonev
 
Command injection
Command injectionCommand injection
Command injection
penetration Tester
 
Input Validation
Input ValidationInput Validation
Input Validation
primeteacher32
 
Php introduction
Php introductionPhp introduction
Php introductionkrishnapriya Tadepalli
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Html forms
Html formsHtml forms
Html forms
M Vishnuvardhan Reddy
 
Active browser web page
Active browser web pageActive browser web page
Active browser web page
Zee1481
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Php Tutorial
Php TutorialPhp Tutorial
Php Tutorial
Sridhar P
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
Sanad Bhowmik
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
n|u - The Open Security Community
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
C basics 4 std11(GujBoard)
C basics 4 std11(GujBoard)C basics 4 std11(GujBoard)
C basics 4 std11(GujBoard)indrasir
 
Chapter3
Chapter3Chapter3
Chapter3
Kamran
 

More Related Content

What's hot

Server Controls of ASP.Net
Server Controls of ASP.NetServer Controls of ASP.Net
Server Controls of ASP.Net
Hitesh Santani
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Php Error Handling
Php Error HandlingPhp Error Handling
Php Error Handlingmussawir20
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Evgeni Tsonev
 
Command injection
Command injectionCommand injection
Command injection
penetration Tester
 
Input Validation
Input ValidationInput Validation
Input Validation
primeteacher32
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Html forms
Html formsHtml forms
Html forms
M Vishnuvardhan Reddy
 
Active browser web page
Active browser web pageActive browser web page
Active browser web page
Zee1481
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Php Tutorial
Php TutorialPhp Tutorial
Php Tutorial
Sridhar P
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
Sanad Bhowmik
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
n|u - The Open Security Community
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 

What's hot (20)

Server Controls of ASP.Net
Server Controls of ASP.NetServer Controls of ASP.Net
Server Controls of ASP.Net
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Php Error Handling
Php Error HandlingPhp Error Handling
Php Error Handling
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
Command injection
Command injectionCommand injection
Command injection
 
Input Validation
Input ValidationInput Validation
Input Validation
 
Php introduction
Php introductionPhp introduction
Php introduction
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Html forms
Html formsHtml forms
Html forms
 
Active browser web page
Active browser web pageActive browser web page
Active browser web page
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Php Tutorial
Php TutorialPhp Tutorial
Php Tutorial
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 

Similar to Format String Attack

C basics 4 std11(GujBoard)
C basics 4 std11(GujBoard)C basics 4 std11(GujBoard)
C basics 4 std11(GujBoard)indrasir
 
Chapter3
Chapter3Chapter3
Chapter3
Kamran
 
Format string
Format stringFormat string
Format string
Vu Review
 
Lesson 10. Pattern 2. Functions with variable number of arguments
Lesson 10. Pattern 2. Functions with variable number of argumentsLesson 10. Pattern 2. Functions with variable number of arguments
Lesson 10. Pattern 2. Functions with variable number of arguments
PVS-Studio
 
C Programming Unit-1
C Programming Unit-1C Programming Unit-1
C Programming Unit-1
Vikram Nandini
 
Programming in C - interview questions.pdf
Programming in C - interview questions.pdfProgramming in C - interview questions.pdf
Programming in C - interview questions.pdf
SergiuMatei7
 
1. introduction to computer
1. introduction to computer1. introduction to computer
1. introduction to computer
Shankar Gangaju
 
Fundamental of C Programming Language and Basic Input/Output Function
Fundamental of C Programming Language and Basic Input/Output Function Fundamental of C Programming Language and Basic Input/Output Function
Fundamental of C Programming Language and Basic Input/Output Function
imtiazalijoono
 
MANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdf
MANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdfMANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdf
MANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdf
SowmyaJyothi3
 
Cnotes
CnotesCnotes
Cnotes
Muthuganesh S
 
Error correction-and-type-of-error-in-c
Error correction-and-type-of-error-in-cError correction-and-type-of-error-in-c
Error correction-and-type-of-error-in-c
Md Nazmul Hossain Mir
 
fds unit1.docx
fds unit1.docxfds unit1.docx
fds unit1.docx
AzhagesvaranTamilsel
 
CProgrammingTutorial
CProgrammingTutorialCProgrammingTutorial
CProgrammingTutorial
Muthuselvam RS
 
An Introduction To C++Templates
An Introduction To C++TemplatesAn Introduction To C++Templates
An Introduction To C++TemplatesGanesh Samarthyam
 
Unit 4 Foc
Unit 4 FocUnit 4 Foc
Unit 4 Foc
JAYA
 
Introduction to C Programming
Introduction to C ProgrammingIntroduction to C Programming
Introduction to C Programming
MOHAMAD NOH AHMAD
 
qb unit2 solve eem201.pdf
qb unit2 solve eem201.pdfqb unit2 solve eem201.pdf
qb unit2 solve eem201.pdf
Yashsharma304389
 
Lecture 3.mte 407
Lecture 3.mte 407Lecture 3.mte 407
Lecture 3.mte 407
rumanatasnim415
 
Unit 2 introduction to c programming
Unit 2 introduction to c programmingUnit 2 introduction to c programming
Unit 2 introduction to c programming
Mithun DSouza
 

Similar to Format String Attack (20)

C basics 4 std11(GujBoard)
C basics 4 std11(GujBoard)C basics 4 std11(GujBoard)
C basics 4 std11(GujBoard)
 
Chapter3
Chapter3Chapter3
Chapter3
 
Format string
Format stringFormat string
Format string
 
Lesson 10. Pattern 2. Functions with variable number of arguments
Lesson 10. Pattern 2. Functions with variable number of argumentsLesson 10. Pattern 2. Functions with variable number of arguments
Lesson 10. Pattern 2. Functions with variable number of arguments
 
C Programming Unit-1
C Programming Unit-1C Programming Unit-1
C Programming Unit-1
 
Programming in C - interview questions.pdf
Programming in C - interview questions.pdfProgramming in C - interview questions.pdf
Programming in C - interview questions.pdf
 
1. introduction to computer
1. introduction to computer1. introduction to computer
1. introduction to computer
 
Fundamental of C Programming Language and Basic Input/Output Function
Fundamental of C Programming Language and Basic Input/Output Function Fundamental of C Programming Language and Basic Input/Output Function
Fundamental of C Programming Language and Basic Input/Output Function
 
MANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdf
MANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdfMANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdf
MANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdf
 
Cnotes
CnotesCnotes
Cnotes
 
Error correction-and-type-of-error-in-c
Error correction-and-type-of-error-in-cError correction-and-type-of-error-in-c
Error correction-and-type-of-error-in-c
 
fds unit1.docx
fds unit1.docxfds unit1.docx
fds unit1.docx
 
CProgrammingTutorial
CProgrammingTutorialCProgrammingTutorial
CProgrammingTutorial
 
An Introduction To C++Templates
An Introduction To C++TemplatesAn Introduction To C++Templates
An Introduction To C++Templates
 
Unit 4 Foc
Unit 4 FocUnit 4 Foc
Unit 4 Foc
 
Introduction to C Programming
Introduction to C ProgrammingIntroduction to C Programming
Introduction to C Programming
 
qb unit2 solve eem201.pdf
qb unit2 solve eem201.pdfqb unit2 solve eem201.pdf
qb unit2 solve eem201.pdf
 
Lecture 3.mte 407
Lecture 3.mte 407Lecture 3.mte 407
Lecture 3.mte 407
 
Unit 2 introduction to c programming
Unit 2 introduction to c programmingUnit 2 introduction to c programming
Unit 2 introduction to c programming
 
C tutorial
C tutorialC tutorial
C tutorial
 

Recently uploaded

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 

Recently uploaded (20)

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 

Format String Attack

  • 1. Format String Attack ~ Mayur N Mallya
  • 2. Basics  A format specifier is used to tell the compiler what type of data the program is taking as an input or output. They usually begin with ‘%’ character.  Format specifiers indicate the location and method to translate a piece of data (such as a number) to characters. Ex: %s, %d, %f, etc.  A format string refers to a control parameter used by a class of functions in the input/output libraries of C and many other programming languages. These statements contain format specifiers. Example of a statement containing format specifiers
  • 3. Introduction  An uncontrolled format string is a software vulnerability discovered in the late ‘80s that can be used to crash the program or make it execute harmful code.  Attacking by exploiting an uncontrolled format string is known as a Format String Attack.  Most of these attacks are executed in ANSI C as the problem stems from the use of unchecked user input as the format string parameter in certain functions that perform formatting, such as ‘print(f)’.  A malicious user may use the %s and %x format tokens, among others, to print data from the call stack or possibly other locations in memory.  One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write the number of bytes formatted to an address stored on the stack.  In essence, the format string exploit occurs when the submitted data of an input string is compiled as a command by the application. So, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.
  • 4. Components It is important to identify, locate and understand the attack. To understand the attack, it’s necessary to understand the components that constitute it.  The Format Function is an ANSI C conversion function, like printf, fprintf, which converts a primitive variable of the programming language into a human-readable string representation.  The Format String is the argument of the Format Function and is an ASCII Z string which contains text and format parameters, like: printf("The magic number is: %dn", 1911);  The Format String Parameter, like %x, %s defines the type of conversion of the format function. Some examples of Format Functions, which if not treated, can be attacked To verify if the format function accepts and parses the format string parameters.
  • 5. Uncommon Formats and Format Options In order to full leverage the power of the format, we need to review the full list of formats and format options.  %n : Saving the Number of Bytes: Format printing services allows you to save the total bytes formatted into a variable. There is a decent chance you've never heard of this format, but it actually is surprisingly useful for certain tasks. For example, given a format and its arguments, it is not obvious how to determine how long the output is until it actually formatted. Here's a basic example, of using %n: %n format matches to an address, in particular an address of an integer, at which the number of bytes formatted up to that point are stored. So, for example, running this program, we get:
  • 6. Note that the %n character is not actually produced in the output: it is not printable. Instead, it only has a side effect. Ok, so why does this format exist? Well, there are some really practical uses, for example, consider counting the digits of a number read in using scanf():
  • 7.  Format Flag and Argument Options: Another tool of formats we will need is some of the extra options for formats to better manipulate the format output. So far you are fairly familiar with the conversion formats: •%d : signed number •%u : unsigned number •%x : hexadecimal number •%f : floating point number •%s : string conversion What you might not be aware is there is a wealth more options to change the formatting. Here's a sample program that will illuminate some of these, so called "flag" options:
  • 8. * The first flag option is the "#" which is used to add prefix formatting. In the case of printing in hexadecimal it will add '0x' to the start of non-zero values. That's pretty useful. * The next option is adding a number prior to the conversion argument, as in %#50x. This conversion will right adjust the format such that the entirety of the number takes up 50 hex digits. If you were to add a leading 0 to the adjustment, as in %#050x, the format will fill those blank spaces with 0’s. * Perhaps the least familiar option you've seen is the m$ format where m is some number, allows you to refer to a specific argument being passed. In the example above, we refer to the same argument twice using two different conversion formats to follow. This is really useful to not have to pass the same argument multiple times; however, when you use the $ references, you have to do for all the format arguments. * Finally, we have the half-conversion option h which says to only convert half the typical size. In this case, since we are working with 4-byte integer values, that would mean to format a 2-byte short size value when using one h, or a single char length 1-byte value with two, hh.
  • 9.  Flag Options for Strings: With strings, things are similar but a bit different. Here's some example code: * Like with numbers, we can specify a length flag to right adjust the string up to some specified size, but we can't fill in that with 0's. Instead the space is filled with spaces. * Unlike with integer numbers (but can be done with float numbers) we can also truncate the length of the format if we use the . option. The number following the . says how many bytes from the string should be used, and this can be combined with the right adjustment. And, interestingly, the right adjustment can be flipped to left adjustment with a negative sign.
  • 10. Buffer overflow  In information security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program , while writing data to a buffer, it overruns the buffer's boundary and overwrites adjacent memory locations.  Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs; if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, then an anomalous transaction that produces more data could cause it to write past the end of the buffer.  If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes. Exploiting the behavior of a buffer overflow is a well-known security exploit.  Programming languages commonly associated with buffer overflows include C and C++ which provide no built-in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an array is within the boundaries of that array. Bounds checking can prevent buffer overflows, but requires additional code and processing time
  • 11. Example for Buffer overflow  In the following example expressed in C, a program has two variables which are adjacent in memory: an 8- byte-long string buffer, A, and an unsigned integer, B.  Initially, A contains nothing but zero bytes, and B contains the number 1979.  Now, the program attempts to store the null-terminated string "excessive" with ASCII encoding in the A buffer.  "excessive" is 9 characters long and encodes to 10 bytes including the null terminator, but A can take only 8 bytes. By failing to check the length of the string, it also overwrites the value of B
  • 12.  B's value has now been inadvertently replaced by a number formed from part of the character string. In this example "e" followed by a zero byte would become 25856.  Writing data past the end of allocated memory can sometimes be detected by the operating system to generate a segmentation fault error that terminates the process.  To prevent the buffer overflow from happening in this example, the call to strcpy could be replaced with strlcpy, which takes the maximum capacity of A (including a null-termination character) as an additional parameter and ensures that no more than this amount of data is written to A:  When available, the strlcpy library function is preferred over strncpy which does not null-terminate the destination buffer if the source string's length is greater than or equal to the size of the buffer (the third argument passed to the function), therefore A may not be null-terminated and cannot be treated as a valid C-style string.
  • 13. Using formats in an exploit  Now that we've had a whirl-wind tour of formats you've never heard of nor ever really wanted to use, how can we use them in an exploit. Here's the program we are going to exploit. This is a rather contrived example of using sprintf() to do a copy. One may think because in the first sprintf() the %.400s format is used, this would not enable a overflow of buffer or outbuff. For example, this does not cause a segmentation fault: True, we can't overflow buffer, but we can overflow outbuff because buffer is treated as the format character. For example, what if the input was like: And if we look at the dmesg output: [dmesg is a command on most Unix-like operating systems that prints the message buffer of the kernel] We see that we overwrote the instruction pointer with a bunch of 0x20 bytes, or spaces! Now, the goal is to overwrite the return address with something useful, like the address of bad().
  • 14. To do this, we need to do the right number of extended format to hit the return address, We can do this by first using 0xdeadbeef and checking the dmesg output: So if we use a 505 byte length %d format, the next 4-bytes we write is the return address. And adding that, we get what we want: We can also get this to execute a shell in the normal way
  • 15. Preventing Format String Vulnerabilities  Always specify a format string as part of program, not as an input. Most format string vulnerabilities are solved by specifying “%s” as format string and not using the data string as format string  If possible, make the format string a constant. Extract all the variable parts as other arguments to the call. Difficult to do with some internationalization libraries  If the above two practices are not possible, use defenses such as Format_Guard . Rare at design time. Perhaps a way to keep using a legacy application and keep costs down .Increase trust that a third-party application will be safe