Format String Attacks
Format String Attacks
Outline What Is a Format String Format Functions Ellipsis and va args Summary Using Format Strings Format Tokens Types of Format Specifiers Summary Format String Vulnerability Abusing Format Strings Reading Memory ·Writing to Memory Summary ■ Finding Format String Bugs FlawFinder 2
Outline ◼ What Is a Format String ◼ Format Functions ◼ Ellipsis and va_args ◼ Summary ◼ Using Format Strings ◼ Format Tokens ◼ Types of Format Specifiers ◼ Summary ◼ Format String Vulnerability ◼ Abusing Format Strings ◼ Reading Memory ◼ Writing to Memory ◼ Summary ◼ Finding Format String Bugs ◼ FlawFinder 2
What Is a Format String 3
3 What Is a Format String
What Is a Format String Printf("username:%s,userID:%d"str,ID) ↑ This is a format string The Numbers of Arguments is Variable 4
What Is a Format String • Printf(“username:%s,userID:%d”,str,ID) 4 This is a format string The Numbers of Arguments is Variable
Format Functions Format function Description fprintf Writes the printf to a file printf Output a formatted string sprintf Prints into a string snprintf Prints into a string checking the length vfprintf Prints the a va_arg structure to a file vprintf Prints the va_arg structure to stdout vsprintf Prints the va_arg to a string vsnprintf Prints the va_arg to a string checking the length 5
Format Functions 5