Bug Classes/Format string injection

From Linux Kernel Security Subsystem
(Difference between revisions)
Jump to: navigation, search
(Created page with "= Details = When an attacker supplied string is accidentally passed to format string parsing, the attacker can manipulate the resulting output. The write primitive available ...")
 
(Examples)
 
Line 4: Line 4:
  
 
= Examples =
 
= Examples =
 +
* [http://seclists.org/oss-sec/2013/q2/510 injection via block layer]
  
 
= Mitigations =
 
= Mitigations =

Latest revision as of 22:29, 12 April 2016

[edit] Details

When an attacker supplied string is accidentally passed to format string parsing, the attacker can manipulate the resulting output. The write primitive available is through the use of the %n specifier, which writes to memory. All the other formats lead to information leaks.

[edit] Examples

[edit] Mitigations

  • Eliminate the use of %n
  • detect non-const format strings at compile time (e.g. gcc's -Wformat-security)
  • detect non-const format strings at run time (e.g. memory location checking done with glibc's -D_FORITY_SOURCE=2)
Personal tools
Namespaces

Variants
Actions
Navigation
Tools