- Forward


C Formatted Output Functions
Vulnerabilities, Attacks, and Mitigation


Prof. David Bernstein
James Madison University

Computer Science Department
bernstdh@jmu.edu

Print

Missing Parameter Vulnerability
Back SMYC Forward
  • The Nature of the Vulnerability:
    • The formatted output functions assume that the caller obeys the contract about variadic functions
  • The Nature of the Attack:
    • Violate the contract
  • The Nature of the Harm:
    • Confidentiality
    • Availability
    • Providing a vector for other attacks
Missing Parameter Vulnerability (cont.)
Back SMYC Forward
  • A Look at printf():
    • printf() uses the number of conversion specifications in the format string to determine the number of actual parameters
  • The Nature of the Attack Revisited:
    • Include more conversion specifications than parameters
  • An Example of Inappropriately Trusted User Input:
    • printf(user_data, total)
  • Another Attack Vector:
    • Internationalization/localization systems often store format strings in files (e.g., because the order in which things are printed and the symbols used vary by locale) which can be compromised during other attacks
Missing Parameter Vulnerability (cont.)
Back SMYC Forward
  • A Confidentiality Example - Viewing the Stack:
    • printf("%p"); (where "%p" is the pointer specifier)
  • Understanding the Vulnerability:
    • va_start() uses the last fixed parameter (i.e., the format string) for initialization
    • va_arg() increments the pointer and returns an address on the stack
  • An Aside:
    • As students, we can use this vulnerabiltiy to view the contents of the stack to understand what is going on in other examples
Missing Parameter Vulnerability (cont.)
Back SMYC Forward
  • Consider the statement printf("%s", p);
    • This statement will display the contents of memory (as an ASCII string) starting at the address in p and continuing until a '\0' is encountered
  • What About printf("%s");
    • va_arg() returns the value on the stack below the address of the fixed parameter
    • That value will be treated like an address and the contents (up to the first '\0') will be printed
    • Expand
  • Exploiting the Vulnerability:
    • Create a format string that contains the address you want to view
Missing Parameter Vulnerability (cont.)
Back SMYC Forward
  • A Confidentiality Example from Seacord (2013):
    • printf("\xdc\xf5\x42\x01%x%x%x%s", 1, 2, 3);
  • Memory (Win32, Little Endian):
    • vulnerability_c-formatted-output
  • Output:
    • The ASCII literal \xdc
    • The ASCII literal \xf5
    • The ASCII literal \x42 (B)
    • The ASCII literal \x01
    • 00000001
    • 00000002
    • 00000003
    • The contents of address 0x0142f5dc up until the first '\0'
Missing Parameter Vulnerability (cont.)
Back SMYC Forward
  • An Availability Example:
    • printf("%s%s%s%s%s%s%s%s%s%s%s%s");
  • Understanding the Attack:
    • With a long enough format string, there will almost certainly be an invalid pointer access or unmapped address (causing a SIGSEGV signal or abnormal termination) after the last '\0' character
%n Vulnerability
Back SMYC Forward
  • Recall:
    • The %n conversion specifier writes the number of characters the address provided as an argument
    • It is useful in aligning strings
  • An Example of Use:
    • printf("JMU%n", (int *)& i);
    • i will contain the value 3
  • Nature of the Harm:
    • The integrity of memory can be compromised
Mitigation
Back SMYC Forward
  • Avoid the use of dynamic format strings
  • Exclude user input from dynamic format strings
    • Or sanitize it and annotate it (e.g., using as tainted) if you can't completely exclude it
  • Don't use %n
    • Unfortnately, legacy code often uses it so it can't be "disabled" completely
  • Use the precision to restrict the number of bytes written
    • Or sanitize it if you can't completely exclude it
Mitigation (cont.)
Back SMYC Forward
  • Use C++ I/O if possible
    • It is type safe and more secure than C I/O
  • Use any compiler checks that are available
    • -Wformat checks the number of parameters
    • -Wformat-nonliteral checks the format strings that are not literals
  • Use static binary analysis tools if possible
    • For example, check the binary code to ensure that the correct number of parameters are passed
There's Always More to Learn
Back -