CIS 4615 meeting -*- Outline -*- * Format String Attacks Based on chapter 6 of the book: 24 Deadly Sins of Software Security by M. Howard, D. LeBlanc, and J. Viega (McGraw-Hill, 2010) and CWE-134's page: https://cwe.mitre.org/data/definitions/134.html ** attack *** background ------------------------------------------ FORMAT STRINGS AND PRINTF-STYLE FUNCTIONS fprintf, printf, sprintf, etc. take format strings as arguments such as %d, %s, etc. printf("i = %d\n", i); The interpreter uses the format string to: - specify - determine ------------------------------------------ ... the output format ... the number of arguments to the function call Q: Does C check the number of arguments given match the number determined by the format string? No! Q: What happens if the number determined by the string is larger than the number of arguments? The function starts reading from the stack! *** overview ------------------------------------------ FORMAT STRING ATTACK 1. Find use of 2. Supply ------------------------------------------ ... printf-style output formatting in program ... input using formatting specifications %x, %n, etc. to - read from parts of memory or - write to parts of memory! Use read formats (%x, %d, etc.) to read out parts of the stack (and use write formats (%n) to write parts of the stack) *** example confidentiality loss ------------------------------------------ EXAMPLES /* echo.c */ #include int main(int argc, char* argv[]) { /* char *passwd = "secret"; */ int i; for (i=1; i < argc; i++) { printf(argv[i]); if (i < argc-1) { printf(" "); } } printf("\n"); return 0; } ------------------------------------------ Q: Is this susceptible to the attack? Yes, if the argument has formatting codes in it they will be interpreted by printf, and will go beyond the stack... See echo.c in this directory, and uncomment the secret line... Try using "%x %x %x %x" and "%x %x %x %s" as input... Q: What other attacks is this like? SQL injection, since interpreting user input Buffer overflow, since reading(/writing) past end of arguments. ------------------------------------------ EXAMPLE int main(int argc, char **argv) { char buf[128]; ... snprintf(buf,128,argv[1]); } ------------------------------------------ Q: Is this susceptible to the attack? Yes, snprintf will interpret input from the user with formatting... Q: Can an attacker view the contents of the stack? Yes! Q: Can an attacker write over parts of the stack? Yes... *** The %n format directive See http://pubs.opengroup.org/onlinepubs/000095399/functions/printf.html ------------------------------------------ THE MEANING OF %n FORMAT DIRECTIVES The %n format stores the number of bytes written so far into the corresponding (int) pointer argument Example: int n; printf("%s: %nFoo\n", "hello", &n); printf("%*sBar\n", n, ""); prints: hello: Foo Bar ------------------------------------------ see percent_n.c ------------------------------------------ DANGER OF %n DIRECTIVES What happens if user-input specifies %n? ------------------------------------------ Since can control how much is printed before then, could cause arbitrary values to be written in particular variables in memory! Q: Is this dangerous? Yes, very much! ** Severity ------------------------------------------ SEVERITY Suppose fprintf writes a log file, what harm could happen from attacker-controlled formats? ------------------------------------------ ... covering attacker's tracks exposure of confidential information taking over the application ** Mitigation *** code review ------------------------------------------ FIXES TO LOOK FOR IN REVIEW Change printf(user_input); to printf( ------------------------------------------ ... "%s", user_input); or to use some other output function, like puts Note: printf is a lot slower than puts. Don't let the input be interpreted as a format string! Q: What should be done in C++? use the stream operators like std::cout << user_input; ------------------------------------------ IS THIS SUSCEPTIBLE? fprintf(STDERR, err_msg); ------------------------------------------ Q: If so, what should be done about it? fprintf(STDERR, "%s\n", err_msg); ------------------------------------------ IS THIS SUSCEPTIBLE? fprintf(file, msg_format, arg1, arg2); ------------------------------------------ Depends on whether msg_format is controlled by the user ------------------------------------------ THINGS TO LOOK FOR IN REVIEW Look for: printf(user_input); fprintf(file, user_input); and calls to any function with ... in its type void syslog(int priority, const char *format, ...); ------------------------------------------ *** tools ------------------------------------------ TOOLS TO FIND THESE BUGS Use gcc -Wformat=2 or gcc -format -Wformat-security source code scanners: RATS flawfinder ------------------------------------------ *** testing ------------------------------------------ TESTING TECHNIQUES For C/C++: Use %x in inputs, see if get hex output For other languages, adjust ------------------------------------------ Q: What other problems could happen if an app gives back your input? XSS attacks!