In this article we will learn about Input Validation: Format Strings Attack.

Information about Format Strings Attack:

In languages ​​like C and C++, printf-style statements are often prone to a problem called format string attacks. Functions like printf, sprint, fprintf and so on are called formatting functions. The behavior of these functions is defined by the format string. A format string vulnerability occurs when user-supplied input is evaluated as part of a command. For example, an attacker can enter characters such as %x as part of the input data, and when the Format function parses them, the conversion will occur as specified.

However, the Format function expects arguments that match this, but reads from the stack if none are supplied. Thus, by sending the generated input vectors, an attacker can exploit this issue to read values ​​from the stack, write values ​​to the stack, read values ​​of memory addresses, and so on. In this lab, we will have a sample C program that is vulnerable to the Format Strings attack and how it can be exploited to display stack values, write stack values, and so on.

Virtual machines required: Kali Linux VM.

Step 1: Create the Example.c file

From your Kali Linux VM, open a terminal and type the command below:

This will open a text editor. Now enter the C source code below and save the file to any location (say desktop)
with a .c extension.

include

include

int main(int argc, char *argv[])

{

char ex[1024];

strcpy(ex,argv[1]);

printf(“You wrote:”);

printf(ex);

printf(“n”);

}

The program above simply reads the input string and displays it back to the user. When running the program, enter any random value as an argument.

Step 2: Compile Run the program

To compile and run the C program, use the commands below as shown in the following screenshot:

This command invokes the GNU C compiler to compile Example.c and output the result (-o) to an executable named Example.

Step 3: Using the format string

Stack Display: The “%x” format parameter can be used to read data from the stack. If this is provided as input, instead of displaying it, the program will run it and display the value from the stack as shown in the following screenshot.

Displaying addresses on the stack: It is important to note here that printf accepts a variable number of arguments. Uses format strings to specify the number of arguments. By exploiting this advantage, an attacker can pass “%p %p %p %p %p %p %p %p %p %p” and trick the compiler into thinking it has ten arguments. In this case, it would simply print ten more addresses onto the stack, assuming they are its arguments, as shown below:

• To write values to a particular memory location: Enter AAAA followed by any number of %x as input and observe the response.

Please note that 41414141 is the hexadecimal representation of AAAA. Note that this value is displayed after eight addresses on the stack. So in this case we passed any value (41414141) as input. To simplify this further, we can use a different notation used in C.

For example, we can do printf(“%$x”) and choose any argument for printf.

Now, instead of reading, we can write the values ​​to the location, just by substituting $x in the $n location above. In other words, if we passed the string AAAA%2$n, we would write the value to the 2nd address. We can enter any input and write it in the selected location. Please note that the value that will be written will be the number of characters entered so far. For example, as shown in the screenshot below, by changing the length of the input, observe that the value at the 2nd address also changes.

In other words, we can write arbitrary values ​​to arbitrary memory locations. This is extremely dangerous because it allows an attacker to override important flags that can control access permissions. Using this technique, attackers can also override return addresses, function pointers, etc.

Changing the values ​​of variables: This can be done using the “%n” directive. This directive allows values ​​to be written to memory. The number of characters written so far is stored in the integer indicated by the pointer argument int * (or variant). To understand this, create an Example.c program with the C code below:

include

int main(int argc, char *argv[])

{

int b;

char ex[1024];

strcpy(ex,argv[1]);

printf(“%s%nn”, ex, &b);

printf(“Value of b now= %dn”, b);

printf(“n”);

}

As you can see, the variable “b” initially contains no value. Let’s compile and run this program to see the result:

It is clear from the above output that the value of b is controlled by the number of characters we enter. Calling printf() will display the string “Rorot” which contains 5 characters. Another format %n writes this value to the variable “b”. Using the %n character, an attacker can therefore write values ​​to memory.

Related article:BIOS/UEFI Forensics:Firmware Acquisition and Analysis Appr0aches

Fix: The format string vulnerability is due to confusion on the part of the format functions in understanding the supplied arguments. Therefore, it is recommended to validate the supplied input to ensure that it does not contain any arbitrary commands or characters. Also, remember to specify the exact number of arguments with the argument type. To solve the problem exploited in the above examples, just add “%s” to the printf function as shown below:

include

int main(int argc, char *argv[])

{

char ex[1024];

strcpy(ex,argv[1]);

printf(“You wrote:”);

printf(“%s”, ex);

printf(“n”);

}

Now compile and run the above code to see the result.