SlideShare a Scribd company logo

Format string vunerability

N
nuc13us

The document discusses format string vulnerabilities, which occur when user-supplied input containing format specifiers is used without validation in functions like printf(). Format strings allow viewing process memory, crashing programs, or overwriting memory locations like the instruction pointer. While buffer overflows have thousands of exploits, format string vulnerabilities are less common but easier to find due to programmer mistakes. Exploiting format strings can lead to privilege escalation, crashes, or arbitrary code execution. Examples of past vulnerabilities are discussed.

Technology
1 of 15
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Format String Vulnerability By Rakesh P Amrita University
→ Rakesh Paruchuri (nuc13us) Security Enthusiast→ Love playing CTFs (team bi0s)→ Intern with Amrita Center→ for Cyber Security
Outline: → Background → Introduction → Format string functions → Format specifiers → How printf works? → Exploiting format string → Format string vulnerability (vs) Buffer overflow
Background What is a vulnerability ? Binary Exploitation ? ● Buffer Overflow ● Heap Overflow ● Format string and many more.. Lets go a little deep into Format String
Program in execution Executable section: TEXT – The actual code that will be executed ● Initialized data: DATA – Global variables ● Uninitialized data: BSS ● Local variables: Stack
Stack view during function calls
Stack ….... 10. push j 11. push i 12. call add 13. add esp, 0x8 …… 20. add: 21. mov eax, [esp+0x4] 22. mov ebx, [esp+0x8] 23. add eax, ebx 24. ret Stack 0XDEADCAFE Higher address Lower address
How printf works ● Printf can take variable number of arguments. – printf(<format string>,......); ● Arguments must be stored in the stack. ● Those arguments are accused through format specifiers that are given the format string. ● Format string = “%d” → assumes that there is one argument ● (“%s %d”) → two arguments
Format String Functions int printf(const char *format, ...); int fprintf(FILE *stream, const char *format, ...); int sprintf(char *str, const char *format, ...); int snprintf(char *str, size_t size, const char *format, …);
Format Specifiers Format Specifier Description Passed as %d decimal value %u Unsigned decimal value %s String reference %x hexadecimal value %n Write number of bytes written so far reference
Exploiting Format String
What format string vulnerability can lead to? ● View the process memory ● Crash a program ● Overwrite instruction pointer or process memory location with malicious data
Format String Vulnerability (vs) Buffer overflow Buffer Overflow Format string Discovered in 1980’s Discovered in 1999 Number of exploits are in thousands Number of exploits are very less Security threat Programmers mistake Difficult to find out Easy to find
Attacks on Format String: Sudo - (privilege escalation) Peanch - instant messaging program CUPS- Printing system for unix CVE-2016-4448: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers
Format string vunerability

More Related Content

PPTX
C format string vulnerability
sluge
 
PDF
2.Format Strings
phanleson
 
PPTX
miniLesson on the printf() function
Christine Wolfe
 
PPTX
Error correction-and-type-of-error-in-c
Md Nazmul Hossain Mir
 
PPTX
Control hijacking
Prachi Gulihar
 
PPT
Buffer Overflows
Sumit Kumar
 
PDF
Buffer overflow null
nullowaspmumbai
 
PDF
C programming day#1
Mohamed Fawzy
 
C format string vulnerability
sluge
 
2.Format Strings
phanleson
 
miniLesson on the printf() function
Christine Wolfe
 
Error correction-and-type-of-error-in-c
Md Nazmul Hossain Mir
 
Control hijacking
Prachi Gulihar
 
Buffer Overflows
Sumit Kumar
 
Buffer overflow null
nullowaspmumbai
 
C programming day#1
Mohamed Fawzy
 

What's hot (20)

PDF
Presentation buffer overflow attacks and theircountermeasures
tharindunew
 
PDF
File Handling in C Programming
RavindraSalunke3
 
PDF
Common mistakes in C programming
Larion
 
PDF
Format string vunerability
Cysinfo Cyber Security Community
 
PPT
C introduction
MadhuriPareek
 
PPT
Advanced+pointers
Rubal Bansal
 
PDF
TDD in C - Recently Used List Kata
Olve Maudal
 
PPT
Mesics lecture 5 input – output in ‘c’
eShikshak
 
DOCX
Theory1&amp;2
Dr.M.Karthika parthasarathy
 
PDF
Introduction to Python Programming | InsideAIML
VijaySharma802
 
PDF
2 data and c
MomenMostafa
 
PPT
C tutorial
Khan Rahimeen
 
PPT
C
Khan Rahimeen
 
PPTX
Loops in Python
Arockia Abins
 
DOC
C operators
srmohan06
 
PPTX
Buffer Overflow Demo by Saurabh Sharma
n|u - The Open Security Community
 
PPT
Lecture 8- Data Input and Output
Md. Imran Hossain Showrov
 
PDF
Types of pointer in C
rgnikate
 
PPT
Unit1 C
arnold 7490
 
PPT
CPU INPUT OUTPUT
Aditya Vaishampayan
 
Presentation buffer overflow attacks and theircountermeasures
tharindunew
 
File Handling in C Programming
RavindraSalunke3
 
Common mistakes in C programming
Larion
 
Format string vunerability
Cysinfo Cyber Security Community
 
C introduction
MadhuriPareek
 
Advanced+pointers
Rubal Bansal
 
TDD in C - Recently Used List Kata
Olve Maudal
 
Mesics lecture 5 input – output in ‘c’
eShikshak
 
Theory1&amp;2
Dr.M.Karthika parthasarathy
 
Introduction to Python Programming | InsideAIML
VijaySharma802
 
2 data and c
MomenMostafa
 
C tutorial
Khan Rahimeen
 
C
Khan Rahimeen
 
Loops in Python
Arockia Abins
 
C operators
srmohan06
 
Buffer Overflow Demo by Saurabh Sharma
n|u - The Open Security Community
 
Lecture 8- Data Input and Output
Md. Imran Hossain Showrov
 
Types of pointer in C
rgnikate
 
Unit1 C
arnold 7490
 
CPU INPUT OUTPUT
Aditya Vaishampayan
 
Ad

Viewers also liked (7)

ODP
Format string Attack
icchy
 
PPTX
CTFを楽しむやで
Takeru Ujinawa
 
PDF
シェル芸初心者によるシェル芸入門 (修正版)
icchy
 
PDF
Summary of "Hacking", 0x351-0x354
Taku Miyakawa
 
PDF
Trend Micro CTF Asia Pacific & Japan -defensive100-
boropon
 
PDF
CTF初心者🔰
icchy
 
PDF
CTF for ビギナーズ バイナリ講習資料
SECCON Beginners
 
Format string Attack
icchy
 
CTFを楽しむやで
Takeru Ujinawa
 
シェル芸初心者によるシェル芸入門 (修正版)
icchy
 
Summary of "Hacking", 0x351-0x354
Taku Miyakawa
 
Trend Micro CTF Asia Pacific & Japan -defensive100-
boropon
 
CTF初心者🔰
icchy
 
CTF for ビギナーズ バイナリ講習資料
SECCON Beginners
 
Ad

Similar to Format string vunerability (20)

PDF
Format string
Vu Review
 
PPTX
Format String Attack
Mayur Mallya
 
PPTX
[MOSUT] Format String Attacks
Aj MaChInE
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
Sam Bowne
 
PDF
CNIT 127: 4: Format string bugs
Sam Bowne
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
PDF
CNIT 127: Ch 4: Introduction to format string bugs
Sam Bowne
 
PDF
Exploitation Crash Course
UTD Computer Security Group
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
PPT
Buffer OverFlow
Rambabu Duddukuri
 
DOCX
C tutoria input outputl
berhe gebrezgiabher
 
PPTX
Format String
Wei-Bo Chen
 
PDF
4 text file
hasan Mohammad
 
PDF
Advanced Arm Exploitation
Himanshu Khokhar Jaat
 
PDF
MANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdf
SowmyaJyothi3
 
PDF
Introduction to Input/Output Functions in C
Thesis Scientist Private Limited
 
PPTX
Introduction about Low Level Programming using C
PadmavathiKPSGCAS
 
PDF
Chapter 13.1.10
patcha535
 
PPTX
ARRAY's in C Programming Language PPTX.
MSridhar18
 
Format string
Vu Review
 
Format String Attack
Mayur Mallya
 
[MOSUT] Format String Attacks
Aj MaChInE
 
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
Sam Bowne
 
CNIT 127: 4: Format string bugs
Sam Bowne
 
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
CNIT 127: Ch 4: Introduction to format string bugs
Sam Bowne
 
Exploitation Crash Course
UTD Computer Security Group
 
CNIT 127 Ch 4: Introduction to format string bugs
Sam Bowne
 
Buffer OverFlow
Rambabu Duddukuri
 
C tutoria input outputl
berhe gebrezgiabher
 
Format String
Wei-Bo Chen
 
4 text file
hasan Mohammad
 
Advanced Arm Exploitation
Himanshu Khokhar Jaat
 
MANAGING INPUT AND OUTPUT OPERATIONS IN C MRS.SOWMYA JYOTHI.pdf
SowmyaJyothi3
 
Introduction to Input/Output Functions in C
Thesis Scientist Private Limited
 
Introduction about Low Level Programming using C
PadmavathiKPSGCAS
 
Chapter 13.1.10
patcha535
 
ARRAY's in C Programming Language PPTX.
MSridhar18
 

Recently uploaded (20)

PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Approach and Philosophy of On baking technology
30anthuong17
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 

Format string vunerability

  • 2. → Rakesh Paruchuri (nuc13us) Security Enthusiast→ Love playing CTFs (team bi0s)→ Intern with Amrita Center→ for Cyber Security
  • 3. Outline: → Background → Introduction → Format string functions → Format specifiers → How printf works? → Exploiting format string → Format string vulnerability (vs) Buffer overflow
  • 4. Background What is a vulnerability ? Binary Exploitation ? ● Buffer Overflow ● Heap Overflow ● Format string and many more.. Lets go a little deep into Format String
  • 5. Program in execution Executable section: TEXT – The actual code that will be executed ● Initialized data: DATA – Global variables ● Uninitialized data: BSS ● Local variables: Stack
  • 6. Stack view during function calls
  • 7. Stack ….... 10. push j 11. push i 12. call add 13. add esp, 0x8 …… 20. add: 21. mov eax, [esp+0x4] 22. mov ebx, [esp+0x8] 23. add eax, ebx 24. ret Stack 0XDEADCAFE Higher address Lower address
  • 8. How printf works ● Printf can take variable number of arguments. – printf(<format string>,......); ● Arguments must be stored in the stack. ● Those arguments are accused through format specifiers that are given the format string. ● Format string = “%d” → assumes that there is one argument ● (“%s %d”) → two arguments
  • 9. Format String Functions int printf(const char *format, ...); int fprintf(FILE *stream, const char *format, ...); int sprintf(char *str, const char *format, ...); int snprintf(char *str, size_t size, const char *format, …);
  • 10. Format Specifiers Format Specifier Description Passed as %d decimal value %u Unsigned decimal value %s String reference %x hexadecimal value %n Write number of bytes written so far reference
  • 12. What format string vulnerability can lead to? ● View the process memory ● Crash a program ● Overwrite instruction pointer or process memory location with malicious data
  • 13. Format String Vulnerability (vs) Buffer overflow Buffer Overflow Format string Discovered in 1980’s Discovered in 1999 Number of exploits are in thousands Number of exploits are very less Security threat Programmers mistake Difficult to find out Easy to find
  • 14. Attacks on Format String: Sudo - (privilege escalation) Peanch - instant messaging program CUPS- Printing system for unix CVE-2016-4448: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers