Format string vulnerability
OWASP 2013-A1 OWASP 2017-A1 OWASP 2021-A3 WASC-06 WSTG-INPV-13
The Format string attack is an attack through which the user input is run as a command by the web application. Thorugh this vulnerability, the attacker might run commands to extract information about the server, view the source code of the application. The attacker can crash the application by executing malicious code to create a segmentation fault and many more.
The string can be divided into 3 parts:-
- Format function - This includes printf, fprintf etc.
- Format string - This is the argument for format function.
- Format string parameter - This defines the type of conversion.
Format string vulnerability is possible because the application failed to sufficiently sanitise the user input. Applications that use format function improperly are most vulnerable to this attack. The format function is used to interpret formatting characters. The common formatting characters are %x (used to read stack data), %s (read process memory) and many more.
The attacker can perform this attack through the following ways:-
- Enumerate Process Stack: The attacker uses %x and %p to view the stack organisation of the application. Using this method, the attacker can leak sensitive information about the server.
- Control Execution Flow: The attacker uses %n to overwrite the pointer variables used by the application. When the application calls these pointers, the pointer will send malicious code to the application.
- Denial of Service: The attacker uses %x followed by %x to crash the application and the server.
The below code is an example:-
Using the above command, the attacker can extract the usernames present in the server.
The impact for this vulnerability include:-
- Data Breach: An attacker can use commands to extract sensitive information from the application.
- Security Breach: As the attacker can execute any commands on the server, it is considered a major security breach.
- Unstable system: The attacker can make changes in the server in such a way that, he can perform actions that can make the server unstable.
- Attacker’s control over the web application. The attacker can use this vulnerability to make any changes to the server.
Mitigation / Precaution
Beagle recommends the following:-
- Always specify a format string as part of the program. Don’t let the application consider it as an input.
- make the format string a constant at all possible places.
- Use defences like Format_Guard.