using the  %s  conversion character (and other conversion

characters in order to reach specific locations).

   Write an integer to locations in the process' memory: By using

the  %n  conversion character, an attacker may write an integer

value to any location in memory. (E.g. overwrite important

program flags that control access privileges, or overwrite return

addresses on the stack, etc.)

References

 (Maybe) the first publicly known Format Strings exploit 

http://archives.neohapsis.com/archives/bugtraq/1999 q3/1009.html

 Analysis of format string bugs , By Andreas Thuemmel

http://downloads.securityfocus.com/library/format bug analysis.pdf

 Format string input validation error in wu ftpd site_exec() function 

http://www.kb.cert.org/vuls/id/29823

4.3  LDAP Injection

LDAP Injection is an attack technique used to exploit web sites that

construct LDAP statements from user supplied input.

Lightweight Directory Access Protocol (LDAP) is an open standard

protocol for both querying and manipulating X.500 directory services.

The LDAP protocol runs over Internet transport protocols, such as

TCP. Web applications may use user supplied input to create custom

LDAP statements for dynamic web page requests.

When a web application fails to properly sanitize user supplied input,

it is possible for an attacker to alter the construction of an LDAP

statement. When an attacker is able to modify an LDAP statement,

the process will run with the same permissions as the component that

executed the command. (e.g. Database server, Web application

server, Web server, etc.). This can cause serious security problems

30

Copyright 2004, Web Application Security Consortium. All rights reserved.