SlideShare a Scribd company logo

Format string vunerability

N
nuc13us

The document discusses format string vulnerabilities, which occur when user-supplied input containing format specifiers is used without validation in functions like printf(). Format strings allow viewing process memory, crashing programs, or overwriting memory locations like the instruction pointer. While buffer overflows have thousands of exploits, format string vulnerabilities are less common but easier to find due to programmer mistakes. Exploiting format strings can lead to privilege escalation, crashes, or arbitrary code execution. Examples of past vulnerabilities are discussed.

Technology
1 of 15
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Format String Vulnerability By Rakesh P Amrita University
→ Rakesh Paruchuri (nuc13us) Security Enthusiast→ Love playing CTFs (team bi0s)→ Intern with Amrita Center→ for Cyber Security
Outline: → Background → Introduction → Format string functions → Format specifiers → How printf works? → Exploiting format string → Format string vulnerability (vs) Buffer overflow
Background What is a vulnerability ? Binary Exploitation ? ● Buffer Overflow ● Heap Overflow ● Format string and many more.. Lets go a little deep into Format String
Program in execution Executable section: TEXT – The actual code that will be executed ● Initialized data: DATA – Global variables ● Uninitialized data: BSS ● Local variables: Stack
Stack view during function calls
Stack ….... 10. push j 11. push i 12. call add 13. add esp, 0x8 …… 20. add: 21. mov eax, [esp+0x4] 22. mov ebx, [esp+0x8] 23. add eax, ebx 24. ret Stack 0XDEADCAFE Higher address Lower address
How printf works ● Printf can take variable number of arguments. – printf(<format string>,......); ● Arguments must be stored in the stack. ● Those arguments are accused through format specifiers that are given the format string. ● Format string = “%d” → assumes that there is one argument ● (“%s %d”) → two arguments
Format String Functions int printf(const char *format, ...); int fprintf(FILE *stream, const char *format, ...); int sprintf(char *str, const char *format, ...); int snprintf(char *str, size_t size, const char *format, …);
Format Specifiers Format Specifier Description Passed as %d decimal value %u Unsigned decimal value %s String reference %x hexadecimal value %n Write number of bytes written so far reference
Exploiting Format String
What format string vulnerability can lead to? ● View the process memory ● Crash a program ● Overwrite instruction pointer or process memory location with malicious data
Format String Vulnerability (vs) Buffer overflow Buffer Overflow Format string Discovered in 1980’s Discovered in 1999 Number of exploits are in thousands Number of exploits are very less Security threat Programmers mistake Difficult to find out Easy to find
Attacks on Format String: Sudo - (privilege escalation) Peanch - instant messaging program CUPS- Printing system for unix CVE-2016-4448: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers
Format string vunerability

More Related Content

PPTX
C format string vulnerability
sluge
 
PDF
2.Format Strings
phanleson
 
PPTX
miniLesson on the printf() function
Christine Wolfe
 
PPTX
Error correction-and-type-of-error-in-c
Md Nazmul Hossain Mir
 
PPTX
Control hijacking
Prachi Gulihar
 
PPT
Buffer Overflows
Sumit Kumar
 
PDF
Buffer overflow null
nullowaspmumbai
 
PDF
C programming day#1
Mohamed Fawzy
 
C format string vulnerability
sluge
 
2.Format Strings
phanleson
 
miniLesson on the printf() function
Christine Wolfe
 
Error correction-and-type-of-error-in-c
Md Nazmul Hossain Mir
 
Control hijacking
Prachi Gulihar
 
Buffer Overflows
Sumit Kumar
 
Buffer overflow null
nullowaspmumbai
 
C programming day#1
Mohamed Fawzy
 

What's hot (20)

PDF
Presentation buffer overflow attacks and theircountermeasures
tharindunew
 
PDF
File Handling in C Programming
RavindraSalunke3
 
PDF
Common mistakes in C programming
Larion
 
PDF
Format string vunerability
Cysinfo Cyber Security Community
 
PPT
C introduction
MadhuriPareek
 
PPT
Advanced+pointers
Rubal Bansal
 
PDF
TDD in C - Recently Used List Kata
Olve Maudal
 
PPT
Mesics lecture 5 input – output in ‘c’
eShikshak
 
DOCX
Theory1&amp;2
Dr.M.Karthika parthasarathy
 
PDF
Introduction to Python Programming | InsideAIML
VijaySharma802
 
PDF
2 data and c
MomenMostafa
 
PPT
C tutorial
Khan Rahimeen
 
PPT
C
Khan Rahimeen
 
PPTX
Loops in Python
Arockia Abins
 
DOC
C operators
srmohan06
 
PPTX
Buffer Overflow Demo by Saurabh Sharma
n|u - The Open Security Community
 
PPT
Lecture 8- Data Input and Output
Md. Imran Hossain Showrov
 
PDF
Types of pointer in C
rgnikate
 
PPT
Unit1 C
arnold 7490
 
PPT
CPU INPUT OUTPUT
Aditya Vaishampayan
 
Presentation buffer overflow attacks and theircountermeasures
tharindunew
 
File Handling in C Programming
RavindraSalunke3
 
Common mistakes in C programming
Larion
 
Format string vunerability
Cysinfo Cyber Security Community
 
C introduction
MadhuriPareek
 
Advanced+pointers
Rubal Bansal
 
TDD in C - Recently Used List Kata
Olve Maudal
 
Mesics lecture 5 input – output in ‘c’
eShikshak
 
Theory1&amp;2
Dr.M.Karthika parthasarathy
 
Introduction to Python Programming | InsideAIML
VijaySharma802
 
2 data and c
MomenMostafa
 
C tutorial
Khan Rahimeen
 
C
Khan Rahimeen
 
Loops in Python
Arockia Abins
 
C operators
srmohan06
 
Buffer Overflow Demo by Saurabh Sharma
n|u - The Open Security Community
 
Lecture 8- Data Input and Output
Md. Imran Hossain Showrov
 
Types of pointer in C
rgnikate
 
Unit1 C
arnold 7490
 
CPU INPUT OUTPUT
Aditya Vaishampayan
 
Ad

Viewers also liked (7)

ODP
Format string Attack
icchy
 
PPTX
CTFを楽しむやで
Takeru Ujinawa
 
PDF
シェル芸初心者によるシェル芸入門 (修正版)
icchy
 
PDF
Summary of "Hacking", 0x351-0x354
Taku Miyakawa
 
PDF
Trend Micro CTF Asia Pacific & Japan -defensive100-
boropon
 
PDF
CTF初心者🔰
icchy
 
PDF
CTF for ビギナーズ バイナリ講習資料
SECCON Beginners
 
Format string Attack
icchy
 
CTFを楽しむやで
Takeru Ujinawa
 
シェル芸初心者によるシェル芸入門 (修正版)
icchy
 
Summary of "Hacking", 0x351-0x354
Taku Miyakawa
 
Trend Micro CTF Asia Pacific & Japan -defensive100-
boropon
 
CTF初心者🔰
icchy
 
CTF for ビギナーズ バイナリ講習資料
SECCON Beginners
 
Ad

Similar to Format string vunerability (20)

PPTX
C programming language tutorial
javaTpoint s
 
PPTX
C_Progragramming_language_Tutorial_ppt_f.pptx
maaithilisaravanan
 
PPT
Security related security analyst ppt.ppt
MubeenaBegum11
 
PPTX
dinoC_ppt.pptx
DinobandhuThokdarCST
 
PPTX
Buffer overflow
Evgeni Tsonev
 
DOCX
C tutorial
Chukka Nikhil Chakravarthy
 
PPTX
C Programming Language
RTS Tech
 
PDF
Software Security
Roman Oliynykov
 
PPTX
Rust Hack
Viral Parmar
 
ODP
BufferOverflow - Offensive point of View
Toe Khaing
 
PPT
2. Data, Operators, IO.ppt
swateerawat06
 
PDF
2010.hari_kannan.phd_thesis.slides.pdf
AlexKarasulu1
 
PPTX
20101017 program analysis_for_security_livshits_lecture03_security
Computer Science Club
 
PPTX
PVS-Studio, a solution for resource intensive applications development
OOO "Program Verification Systems"
 
PDF
Getting Started with C Programming: A Beginner’s Guide to Syntax, Variables, ...
Akhil Nair R
 
PDF
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Codemotion
 
PPT
Fundamental of C Programming Language and Basic Input/Output Function
imtiazalijoono
 
PPTX
A Comprehensive Guide to C Programing Basics, Variable Declarations, Input/O...
Muhammad Khubaib Awan
 
PPT
Stream Based Input Output
Bharat17485
 
PDF
Secure Coding Practices for Middleware
Manuel Brugnoli
 
C programming language tutorial
javaTpoint s
 
C_Progragramming_language_Tutorial_ppt_f.pptx
maaithilisaravanan
 
Security related security analyst ppt.ppt
MubeenaBegum11
 
dinoC_ppt.pptx
DinobandhuThokdarCST
 
Buffer overflow
Evgeni Tsonev
 
C tutorial
Chukka Nikhil Chakravarthy
 
C Programming Language
RTS Tech
 
Software Security
Roman Oliynykov
 
Rust Hack
Viral Parmar
 
BufferOverflow - Offensive point of View
Toe Khaing
 
2. Data, Operators, IO.ppt
swateerawat06
 
2010.hari_kannan.phd_thesis.slides.pdf
AlexKarasulu1
 
20101017 program analysis_for_security_livshits_lecture03_security
Computer Science Club
 
PVS-Studio, a solution for resource intensive applications development
OOO "Program Verification Systems"
 
Getting Started with C Programming: A Beginner’s Guide to Syntax, Variables, ...
Akhil Nair R
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Codemotion
 
Fundamental of C Programming Language and Basic Input/Output Function
imtiazalijoono
 
A Comprehensive Guide to C Programing Basics, Variable Declarations, Input/O...
Muhammad Khubaib Awan
 
Stream Based Input Output
Bharat17485
 
Secure Coding Practices for Middleware
Manuel Brugnoli
 

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
KodekX | Application Modernization Development
KodekX
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Approach and Philosophy of On baking technology
30anthuong17
 

Format string vunerability

  • 2. → Rakesh Paruchuri (nuc13us) Security Enthusiast→ Love playing CTFs (team bi0s)→ Intern with Amrita Center→ for Cyber Security
  • 3. Outline: → Background → Introduction → Format string functions → Format specifiers → How printf works? → Exploiting format string → Format string vulnerability (vs) Buffer overflow
  • 4. Background What is a vulnerability ? Binary Exploitation ? ● Buffer Overflow ● Heap Overflow ● Format string and many more.. Lets go a little deep into Format String
  • 5. Program in execution Executable section: TEXT – The actual code that will be executed ● Initialized data: DATA – Global variables ● Uninitialized data: BSS ● Local variables: Stack
  • 6. Stack view during function calls
  • 7. Stack ….... 10. push j 11. push i 12. call add 13. add esp, 0x8 …… 20. add: 21. mov eax, [esp+0x4] 22. mov ebx, [esp+0x8] 23. add eax, ebx 24. ret Stack 0XDEADCAFE Higher address Lower address
  • 8. How printf works ● Printf can take variable number of arguments. – printf(<format string>,......); ● Arguments must be stored in the stack. ● Those arguments are accused through format specifiers that are given the format string. ● Format string = “%d” → assumes that there is one argument ● (“%s %d”) → two arguments
  • 9. Format String Functions int printf(const char *format, ...); int fprintf(FILE *stream, const char *format, ...); int sprintf(char *str, const char *format, ...); int snprintf(char *str, size_t size, const char *format, …);
  • 10. Format Specifiers Format Specifier Description Passed as %d decimal value %u Unsigned decimal value %s String reference %x hexadecimal value %n Write number of bytes written so far reference
  • 12. What format string vulnerability can lead to? ● View the process memory ● Crash a program ● Overwrite instruction pointer or process memory location with malicious data
  • 13. Format String Vulnerability (vs) Buffer overflow Buffer Overflow Format string Discovered in 1980’s Discovered in 1999 Number of exploits are in thousands Number of exploits are very less Security threat Programmers mistake Difficult to find out Easy to find
  • 14. Attacks on Format String: Sudo - (privilege escalation) Peanch - instant messaging program CUPS- Printing system for unix CVE-2016-4448: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers