CWE-134: Use of Externally-Controlled Format String

CWE-134: Use of Externally-Controlled Format String | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following program prints a string provided as an argument.

Vulnerable example

#include <stdio.h>

The example is exploitable, because of the call to printf() in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple.

The following code copies a command line argument into a buffer using snprintf().

Vulnerable example

int main(int argc, char **argv){

This code allows an attacker to view the contents of the stack and write to the stack using a command line argument containing a sequence of formatting directives. The attacker can read from the stack by providing more formatting directives, such as %x, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.) By using the %n formatting directive, the attacker can write to the stack, causing snprintf() to write the number of bytes output thus far to the specified argument (rather than reading a value from the argument, which is the intended behavior). A sophisticated version of this attack will use four staggered writes to completely control the value of a pointer on the stack.

Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc:

Vulnerable example

printf("%d %d %1$d %1$d\n", 5, 9);

This code produces the following output: 5 9 5 5 It is also possible to use half-writes (%hn) to accurately control arbitrary DWORDS in memory, which greatly reduces the complexity needed to execute an attack that would otherwise require four staggered writes, such as the one mentioned in a separate example.

CWE-134: Use of Externally-Controlled Format String

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Black Box

Automated Static Analysis - Binary or Bytecode

Manual Static Analysis - Binary or Bytecode

Dynamic Analysis with Automated Results Interpretation

Dynamic Analysis with Manual Results Interpretation

Manual Static Analysis - Source Code

Automated Static Analysis - Source Code

Architecture or Design Review

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-134?

What CVEs are caused by CWE-134?

Is CWE-134 part of the OWASP Top 10?

How do you prevent CWE-134?

How is CWE-134 detected?

What are the consequences of CWE-134?

Is CWE-134 actively exploited?

References

Stay ahead of CWE-134

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Black Box

Automated Static Analysis - Binary or Bytecode

Manual Static Analysis - Binary or Bytecode

Dynamic Analysis with Automated Results Interpretation

Dynamic Analysis with Manual Results Interpretation

Manual Static Analysis - Source Code

Automated Static Analysis - Source Code

Architecture or Design Review

Code examples

Illustrative examples

Related weaknesses

Parent

Can precede

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-134?

What CVEs are caused by CWE-134?

Is CWE-134 part of the OWASP Top 10?

How do you prevent CWE-134?

How is CWE-134 detected?

What are the consequences of CWE-134?

Is CWE-134 actively exploited?

References

Stay ahead of CWE-134