CWE-134: Use of Externally-Controlled Format String

Causes

• The following program prints a string provided as an argument. The example is exploitable, because of the call to printf() in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple.
• The following code copies a command line argument into a buffer using snprintf(). This code allows an attacker to view the contents of the stack and write to the stack using a command line argument containing a sequence of formatting directives. The attacker can read from the stack by providing more formatting directives, such as %x, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.) By using the %n formatting directive, the attacker can write to the stack, causing snprintf() to write the number of bytes output thus far to the specified argument (rather than reading a value from the argument, which is the intended behavior). A sophisticated version of this attack will use four staggered writes to completely control the value of a pointer on the stack.
• Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc: This code produces the following output: 5 9 5 5 It is also possible to use half-writes (%hn) to accurately control arbitrary DWORDS in memory, which greatly reduces the complexity needed to execute an attack that would otherwise require four staggered writes, such as the one mentioned in a separate example.

Remediation

• Requirements: Choose a language that is not subject to this flaw.
• Implementation: Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
• Build and Compilation: Run compilers and linkers with high warning levels, since they may detect incorrect usage.

Detection

• Automated Static Analysis: This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.
• Black Box: Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.
• Automated Static Analysis - Binary or Bytecode: [object Object]
• Manual Static Analysis - Binary or Bytecode: [object Object]
• Dynamic Analysis with Automated Results Interpretation: [object Object]
• Dynamic Analysis with Manual Results Interpretation: [object Object]
• Manual Static Analysis - Source Code: [object Object]
• Automated Static Analysis - Source Code: [object Object]

Related CWEs

• CWE-123: Write-what-where Condition
• CWE-20: Improper Input Validation
• CWE-668: Exposure of Resource to Wrong Sphere
• CWE-668: Exposure of Resource to Wrong Sphere

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.