If an attacker passes a format string consisting of printf conversion

characters (e.g.  %f ,  %p ,  %n , etc.) as parameter value to the web

application, they may:

   Execute arbitrary code on the server

   Read values off the stack

   Cause segmentation faults / software crashes

Example

Lets assume that a web application has a parameter

emailAddress, dictated by the user. The application prints the

value of this variable by using the printf function:

printf(emailAddress);

If the value sent to the emailAddress parameter contains

conversion characters, printf will parse the conversion characters

and use the additionally supplied corresponding arguments. If no

such arguments actually exist, data from the stack will be used in

accordance to the order expected by the printf function.

The possible uses of the Format String Attacks in such a case can

be:

   Read data from the stack: If the output stream of the printf

function is presented back to the attacker, he may read values

on the stack by sending the conversion character  %x  (one or

more times).

   Read character strings from the process' memory: If the output

stream of the printf function is presented back to the attacker,

he can read character strings at arbitrary memory locations by

29

Copyright 2004, Web Application Security Consortium. All rights reserved.