format string %n vulnerability
Results 1 to 7 of 7

Thread: format string %n vulnerability

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    236

    format string %n vulnerability

    Ive been reading some safe programming techniques and theres a section on fromat strings.
    basically is says that keep format strings like this out



    printf(user);
    //where user was supplied by the user from the command line

    it says this can be expoitable or crashable with %n

    Ive never really used the %n can someone tell me what that is and how that could make a program exploitable
    That which does not kill me makes me stronger -- Friedrich Nietzche

  2. #2
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002
    Posts
    556
    Google Search "%n programming vulnerability"

    http://lists.suse.com/archives/suse-...-Sep/0030.html
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

  3. #3
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    well I actually did search google already and did not get what I wanted. The problem with google is that when I put %n it doesnt respect the the % I even tried "%n" or "\%n" but I get a ton of google pages with just \n

    So thats kinda why I posted here

    maybe my question should have been using google how do i make sure the string '%n' is searched for
    also I looked at the man page for printf and theres really nothing about %n

    Also Im not just looking for what the vulnerablity is but also about what %n does with printf
    That which does not kill me makes me stronger -- Friedrich Nietzche

  4. #4
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002
    Posts
    556
    This is a PDF white paper touting FormatGuard, but it contains some good information on Printf vulnerabilities.

    http://www.immunix.org/formatguard.pdf
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

  5. #5
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    This is a fairly complex exploit method, but alas I will attempt to get to the crux of the matter. The "%n" format string writes the number of bytes already printed to a variable, which in itself is not a bad thing but this is the meat of a pure format string vuln. Without the "%n" or combining a format vuln with another technique (standard overflow) you are limited to reading memory only, granted you can read just about ANY memory you want which is pretty disasterous already but the "%n" actually WRITES to an address which is placed on the stack as a parameter (yipee!) and allows a savy coder to perform some very ingenious trickery in order to write the desired data to an arbitrary location in memory (of course writting to unmapped memory wont turn out well.). Of course this isnt the only format parameter used, the others %d %s %x %u are all used to adjust the stack pointer according to the coders purpose by abusing how format strings and their parameters are stored on the stack.

    -Maestr0

    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  6. #6
    even though i have used printf often, i didn't realize there are vulnerabilities..
    hmm.. i think i'll try to explore it.. thanks for da info..

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    You should probably read this paper by team Teso.
    Also check out this post by The_Jinx.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •