C Formatted Output Functions

C Formatted Output Functions
Vulnerabilities, Attacks, and Mitigation

Prof. David Bernstein
James Madison University

Computer Science Department

bernstdh@jmu.edu

Missing Parameter Vulnerability

The Nature of the Vulnerability:
- The formatted output functions assume that the caller obeys the contract about variadic functions
The Nature of the Attack:
- Violate the contract
The Nature of the Harm:
- Confidentiality
- Availability
- Providing a vector for other attacks

Missing Parameter Vulnerability (cont.)

A Look at printf():
- printf() uses the number of conversion specifications in the format string to determine the number of actual parameters
The Nature of the Attack Revisited:
- Include more conversion specifications than parameters
An Example of Inappropriately Trusted User Input:
- printf(user_data, total)
Another Attack Vector:
- Internationalization/localization systems often store format strings in files (e.g., because the order in which things are printed and the symbols used vary by locale) which can be compromised during other attacks

Missing Parameter Vulnerability (cont.)

A Confidentiality Example - Viewing the Stack:
- printf("%p"); (where "%p" is the pointer specifier)
Understanding the Vulnerability:
- va_start() uses the last fixed parameter (i.e., the format string) for initialization
- va_arg() increments the pointer and returns an address on the stack
An Aside:
- As students, we can use this vulnerabiltiy to view the contents of the stack to understand what is going on in other examples

Missing Parameter Vulnerability (cont.)

Consider the statement printf("%s", p);
- This statement will display the contents of memory (as an ASCII string) starting at the address in p and continuing until a '\0' is encountered
What About printf("%s");
Exploiting the Vulnerability:
- Create a format string that contains the address you want to view

Missing Parameter Vulnerability (cont.)

A Confidentiality Example from Seacord (2013):
- printf("\xdc\xf5\x42\x01%x%x%x%s", 1, 2, 3);
Memory (Win32, Little Endian):
Output:
- The ASCII literal \xdc
- The ASCII literal \xf5
- The ASCII literal \x42 (B)
- The ASCII literal \x01
- 00000001
- 00000002
- 00000003
- The contents of address 0x0142f5dc up until the first '\0'

Missing Parameter Vulnerability (cont.)

An Availability Example:
- printf("%s%s%s%s%s%s%s%s%s%s%s%s");
Understanding the Attack:
- With a long enough format string, there will almost certainly be an invalid pointer access or unmapped address (causing a SIGSEGV signal or abnormal termination) after the last '\0' character

%n Vulnerability

Recall:
- The %n conversion specifier writes the number of characters the address provided as an argument
- It is useful in aligning strings
An Example of Use:
- printf("JMU%n", (int *)& i);
- i will contain the value 3
Nature of the Harm:
- The integrity of memory can be compromised

Mitigation

Avoid the use of dynamic format strings
Exclude user input from dynamic format strings
- Or sanitize it and annotate it (e.g., using as tainted) if you can't completely exclude it
Don't use %n
- Unfortnately, legacy code often uses it so it can't be "disabled" completely
Use the precision to restrict the number of bytes written
- Or sanitize it if you can't completely exclude it

Mitigation (cont.)

Use C++ I/O if possible
- It is type safe and more secure than C I/O
Use any compiler checks that are available
- -Wformat checks the number of parameters
- -Wformat-nonliteral checks the format strings that are not literals
Use static binary analysis tools if possible
- For example, check the binary code to ensure that the correct number of parameters are passed