Format String Vulnerability

What is a Format String Vulnerability? 

Often found in C language programs, it refers to a bug found in the printf() function. It is widely used to transport data, which could be ASCII text strings, to the standard output. When used properly, text strings can lead to effective and automated conversion types. On contrary, a faulty configuration leads to the problem.

Format string attack surfaces when the data, which an input printf() string delivers, is considered or executed as a command by the software. When it happens, the attacker can easily insert malicious code in the input string or access stack, and even cause temporary or permanent software execution failure. 

Depending on the severity of the attack can lead to abnormal system behavior and system inability. Most commonly, the wrong usage of %d and %s in print() string brings success. 

The most common printf function family members that can be affected by this threat are fprintf, vsprintf, vsnprintf, sprint, and vfprintf.

‍

Format string Vulnerabilities in action - Example

Here is a sample code:

#include <stdio.h>
int main(int arg1, char **arg2){
printf(arg2[1]);
}

Now, in this code, there is no defined format specifier that will allow an attacker to insert a format specifier of choice. To avoid this problem, a safer alternative could be rewrite this printf statement as:

printf(“%s”, arg2[1]);

Here, the format specifier, %s, is present. So, there is no scope for the attack. 

‍

Historical data

Tymm Twillman was the first person to spot the possibilities that come with input string formats in September 1999. It happened when it was actively engaged in the security audit of a ProFTPD, a C programming-based server. During his audit, he spotted a printf() function, lacking the accurate string, which caused the transmission of user-created data into the server. 

To have a better understanding of this incident, he did thorough testing of all the available print functions and concluded that a string-related loophole can lead to multiple threats. Using it, attackers can gain privilege or root access to the system can cause malfunctioning. 

‍

Damages Caused

If gone unnoticed for a longer time, an existing string format cybersecurity loophole can give birth to many threats. For example:

• Unexpected crashing of code
• Unauthorized access to stack data 
• Execution of an arbitrary code for an application
• Successful Denial of Service (DoS).

‍

Format string Vulnerabilities for Different Types of Programs

Code written in C

C accepts several types of arguments to print an output. It becomes vulnerable when a user-controlled program receives an intentional or unintentional input, breaking the code. 

Format string in C is a very common in programs. The absence of a format specifier can cause so much trouble because a hacker can take advantage of such strings and manipulate the output.

Consider this:

printf("%x%x%x%x");

There is no text but multiple format specifiers.

When such a function is executed, only the first stack and its corresponding variable are taken into consideration. Rest for %x specifiers will be processed accordingly.

Web Applications 

Web applications that contain C language modules are prone to this attack. The possibility of this attack occurring is high in web applications because the majority of the web servers are C or C++ based. So, a vulnerable code can easily pass on to a web application.

Format string in Javascript code could prove to be a trouble too. 

Additionally, PHP applications using sprintf may also trigger the sprintf format string vulnerability issue if the hacker is skilled. This loophole was also used to carry out SQL injection attacks, in the past.

Python Applications

It is not just C or C++ that is prone to this attack. Format string in Python is also very commonly seen. In fact, a well-researched technical article revealed that Python is more prone to this vulnerability as compared to C or C++. What’s worth noting here is the fact that every Python string is backed by a format() method.

For example, let’s have a code print("Directory {} contains {} files".format("Office", 32))

In this example, every {} placeholder is replaced with the format() method’s an adjacent argument. But, there is a possibility that format() can accept an object and process its attributes for completing the given format string as it’s easy. Now, let’s use DirData class and assume that the same module is carrying a global variable that is storing a secret value. 

SECRET_VALUE = "getintosystem"
class DirData:
def __init__(self):
self.name = "Office"
self.noOfFiles = 32
print("Directory {dirInfo.name} contains {dirInfo.noOfFiles} files".
format(dirInfo=DirData()))

In this case, Python objects are now able to access various internal attributes. If we string these attributes together, the possible output would be: 

The secret is: getintosystem

Measures to Prevent Format String Attacks 

For safe and secure software development, no vulnerability should be ignored. Here are a few tips to follow for its early and certainly fixation:

• Make sure that the string is not defined as an input type. It should always be defined as a program part.
• Try to use constant strings and do early extraction of variable parts.
• Format_Guard.Rare is a great preventive tool that can fix all patches to glibc and protect against various format bugs. Use it at the designing stage. 
• Promote normal use of printf function. As long as it’s used correctly, no vulnerability will be able to create havoc. 
• Use Kimchi, which is a famous binary rewriting solution. It’s designed to prevent the occurrence of string format loophole during the runtime. It monitors the machine code calls that printf receives and replaces them with the safest possible version of printf, which is safe_printf.
• Create dynamic addresses using ASLR or Address Space Layout Randomization. It’s useful to create dynamic addresses for functions, libraries, variables, and other crucial aspects. Dynamic addresses are not easy to manipulate. Hence, the odds of string-related attacks are low. 
• Never ignoring compiler warning is also a great format string attack prevention technique to try on. During the development, compilers notify the developers of the presence of vulnerable functions. A responsible developer is the one that takes this warning seriously and replaces the vulnerable function immediately with a safe version. 

‍

Ending notes 

Function strings are an essential part of C and many other key programming languages and any error or vulnerability in it will cause a huge operational error in the program. Hence, educate yourself about the possibilities and prevention techniques to minimize the damage.