The document discusses format string vulnerabilities, which occur when user-supplied input containing format specifiers is used without validation in functions like printf(). Format strings allow viewing process memory, crashing programs, or overwriting memory locations like the instruction pointer. While buffer overflows have thousands of exploits, format string vulnerabilities are less common but easier to find due to programmer mistakes. Exploiting format strings can lead to privilege escalation, crashes, or arbitrary code execution. Examples of past vulnerabilities are discussed.

1. Format String
Vulnerability
By Rakesh P
Amrita University

2. → Rakesh Paruchuri (nuc13us)
Security Enthusiast→
Love playing CTFs (team bi0s)→
Intern with Amrita Center→
for Cyber Security

3. Outline:
→ Background
→ Introduction
→ Format string functions
→ Format specifiers
→ How printf works?
→ Exploiting format string
→ Format string vulnerability (vs)
Buffer overflow

4. Background
What is a vulnerability ?
Binary Exploitation ?
●
Buffer Overflow
●
Heap Overflow
●
Format string and many more..
Lets go a little deep into Format String

5. Program in execution
Executable section: TEXT
– The actual code that will be
executed
●
Initialized data: DATA
– Global variables
●
Uninitialized data: BSS
●
Local variables: Stack

6. Stack view during function calls

7. Stack
…....
10. push j
11. push i
12. call add
13. add esp, 0x8
……
20. add:
21. mov eax, [esp+0x4]
22. mov ebx, [esp+0x8]
23. add eax, ebx
24. ret
Stack
0XDEADCAFE
Higher address
Lower address

8. How printf works
●
Printf can take variable number of arguments.
– printf(<format string>,......);
●
Arguments must be stored in the stack.
●
Those arguments are accused through format specifiers that
are given the format string.
●
Format string = “%d” → assumes that there is one argument
●
(“%s %d”) → two arguments

9. Format String Functions
int printf(const char *format, ...);
int fprintf(FILE *stream, const char *format, ...);
int sprintf(char *str, const char *format, ...);
int snprintf(char *str, size_t size, const char *format, …);

10. Format Specifiers
Format Specifier Description Passed as
%d decimal value
%u Unsigned decimal value
%s String reference
%x hexadecimal value
%n Write number of bytes
written so far
reference

11. Exploiting Format String

12. What format string vulnerability can lead to?
●
View the process memory
●
Crash a program
●
Overwrite instruction pointer or process memory location with
malicious data

13. Format String Vulnerability (vs) Buffer
overflow
Buffer Overflow Format string
Discovered in 1980’s Discovered in 1999
Number of exploits are in
thousands
Number of exploits are very less
Security threat Programmers mistake
Difficult to find out Easy to find

14. Attacks on Format String:
Sudo - (privilege escalation)
Peanch - instant messaging program
CUPS- Printing system for unix
CVE-2016-4448:
Format string vulnerability in libxml2 before 2.9.4
allows attackers to have unspecified impact via
format string specifiers