Logo


1. Authentication
  1. Brute Force

  2. Insufficient Authentication

  3. Weak Password Recovery Validation

2. Authorization
  1. Credential/Session Prediction

  2. Insufficient Authorization

  3. Insufficient Session Expiration

  4. Session Fixation

3. Client-side Attacks
  1. Content Spoofing

  2. Cross-site Scripting

4. Command Execution
  1. Buffer Overflow
  2. Format String Attack
  3. LDAP Injection
  4. OS Commanding
  5. SQL Injection
  6. SSI Injection
  7. XPath Injection
5. Information Disclosure
  1. Directory Indexing

  2. Information Leakage

  3. Path Traversal

  4. Predictable Resource Location

6. Logical Attacks
  1. Abuse of Functionality

  2. Denial of Service

  3. Insufficient Anti-automation

  4. Insufficient Process Validation

Format String Attacks

Format String Attacks alter the flow of an application by using string formatting library features to access other memory space. Vulnerabilities occur when user-supplied data are used directly as formatting string input for certain C/C++ functions (e.g. fprintf, printf, sprintf, setproctitle, syslog, ...).

If an attacker passes a format string consisting of printf conversion characters (e.g. "%f", "%p", "%n", etc.) as parameter value to the web application, they may:

- Execute arbitrary code on the server
- Read values off the stack
- Cause segmentation faults / software crashes


Example
Lets assume that a web application has a parameter emailAddress, dictated by the user. The application prints the value of this variable by using the printf function: printf(emailAddress); If the value sent to the emailAddress parameter contains conversion characters, printf will parse the conversion characters and use the additionally supplied corresponding arguments. If no such arguments actually exist, data from the stack will be used in accordance to the order expected by the printf function.

The possible uses of the Format String Attacks in such a case can be:

- Read data from the stack: If the output stream of the printf function is presented back to the attacker, he may read values on the stack by sending the conversion character "%x" (one or more times).
- Read character strings from the process' memory: If the output stream of the printf function is presented back to the attacker, he can read character strings at arbitrary memory locations by using the "%s" conversion character (and other conversion characters in order to reach specific locations).
- Write an integer to locations in the process' memory: By using the "%n" conversion character, an attacker may write an integer value to any location in memory. (E.g. overwrite important program flags that control access privileges, or overwrite return addresses on the stack, etc.)


References
"(Maybe) the first publicly known Format Strings exploit"
http://archives.neohapsis.com/archives/bugtraq/1999-q3/1009.html

"Format string input validation error in wu-ftpd site_exec() function"
http://www.kb.cert.org/vuls/id/29823

To receive your Free Application Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $99.00 for a second Format String Attacks attack vulnerability test.


Business Name:
Contact Information:
Email Address:
URL or IP address:
  

Other members of our business group:
Cloud-Security.us | US-scada.com

COPYRIGHT (C) 2000 - 2013 InfoSecPro.com ALL RIGHTS RESERVED