Format string vulnerabilities <hackeve>

Before reading, please note: this article is in no way even a complete introduction to the topic. It just serves as an introduction to the hackeve we're hosting this time.

To understand format string vulnerabilities, we first need to know what a format string is.

What is a format string?

The format string is written in a simple template language, and specifies a method for rendering an arbitrary number of varied data type parameters into a string - from Wikipedia

If you have ever coded in a C-like language you must have used format strings before.

printf("We can render strings using %s, and even integers using %d", string, integer);

It should be pretty clear what the above statement does. It generates a string according to the "format" that is specified as the first parameter, using the data provided in other arguments.

printf is very innocent in nature. It assumes a few things:

  • The format is valid
  • Each format specifier has a corresponding data to it. That is if you do:

    printf("We can render strings using %s, and even integers using %d", string, integer);

  • And the data provided is of the correct format.

If you'd go and try to run:

printf("We can render strings using %s, and even integers using %d");

That is without the data we provided in the last statement. Printf would go pop the last 2 entries on the stack, assume the first one is a string and second is an integer and will try its best to show their values to you.

What the heck am I talking about? Show up at the hackeve at 6PM, 4th November 2015 and I'll explain more about it there. We'll learn about what really is a stack? How printf and other format string functions use the stack? and how we can use the vulnerability to read, write and execute arbitrary data. Looking forward to see you all there!

If you cant wait and are interested in reading more it, I suggest going through the initial few pages of scut's paper on format strings here.