Difference between revisions of "Bug Classes/Format string injection"
Jump to navigation
Jump to search
(Created page with "= Details = When an attacker supplied string is accidentally passed to format string parsing, the attacker can manipulate the resulting output. The write primitive available ...") |
|||
| Line 4: | Line 4: | ||
= Examples = | = Examples = | ||
* [http://seclists.org/oss-sec/2013/q2/510 injection via block layer] | |||
= Mitigations = | = Mitigations = | ||
Latest revision as of 22:29, 12 April 2016
Details
When an attacker supplied string is accidentally passed to format string parsing, the attacker can manipulate the resulting output. The write primitive available is through the use of the %n specifier, which writes to memory. All the other formats lead to information leaks.
Examples
Mitigations
- Eliminate the use of %n
- detect non-const format strings at compile time (e.g. gcc's -Wformat-security)
- detect non-const format strings at run time (e.g. memory location checking done with glibc's -D_FORITY_SOURCE=2)