CWE-134 使用外部控制的格式字符串
Use of Externally-Controlled Format String
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: High
基本描述
The software uses a function that accepts a format string as an argument, but the format string originates from an external source.
扩展描述
When an attacker can modify an externally-controlled format string, this can lead to buffer overflows, denial of service, or data representation problems.
It should be noted that in some circumstances, such as internationalization, the set of format strings is externally controlled by design. If the source of these format strings is trusted (e.g. only contained in library files that are only modifiable by the system administrator), then the external control might not itself pose a vulnerability.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 668 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 668 cwe_View_ID: 1003 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 668 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: CanPrecede cwe_CWE_ID: 123 cwe_View_ID: 1000
-
cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 700 cwe_Ordinal: Primary
适用平台
Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Often'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Often'}, {'cwe_Name': 'Perl', 'cwe_Prevalence': 'Rarely'}]
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Confidentiality | Read Memory | Format string problems allow for information disclosure which can severely simplify exploitation of the program. |
| ['Integrity', 'Confidentiality', 'Availability'] | Execute Unauthorized Code or Commands | Format string problems can result in the execution of arbitrary code. |
检测方法
DM-1 Automated Static Analysis
Black Box
Automated Static Analysis - Binary or Bytecode
According to SOAR, the following detection techniques may be useful:
- Bytecode Weakness Analysis - including disassembler + source code weakness analysis
- Binary Weakness Analysis - including disassembler + source code weakness analysis
- Binary / Bytecode simple extractor – strings, ELF readers, etc.
Manual Static Analysis - Binary or Bytecode
According to SOAR, the following detection techniques may be useful:
- Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies
Dynamic Analysis with Automated Results Interpretation
According to SOAR, the following detection techniques may be useful:
- Web Application Scanner
- Web Services Scanner
- Database Scanners
Dynamic Analysis with Manual Results Interpretation
According to SOAR, the following detection techniques may be useful:
- Fuzz Tester
- Framework-based Fuzzer
Manual Static Analysis - Source Code
According to SOAR, the following detection techniques may be useful:
- Manual Source Code Review (not inspections)
- Focused Manual Spotcheck - Focused manual analysis of source
Automated Static Analysis - Source Code
According to SOAR, the following detection techniques may be useful:
- Source code Weakness Analyzer
- Context-configured Source Code Weakness Analyzer
- Warning Flags
Architecture or Design Review
According to SOAR, the following detection techniques may be useful:
- Formal Methods / Correct-By-Construction
- Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
可能的缓解方案
Requirements
策略:
Choose a language that is not subject to this flaw.
Implementation
策略:
Ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
Build and Compilation
策略:
Heed the warnings of compilers and linkers, since they may alert you to improper usage.
示例代码
例
The following program prints a string provided as an argument.
bad C
void printWrapper(char string) {
printf(string);
int main(int argc, char *argv) {
char buf[5012];
memcpy(buf, argv[1], 5012);
printWrapper(argv[1]);
return (0);
The example is exploitable, because of the call to printf() in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple.
例
The following code copies a command line argument into a buffer using snprintf().
bad C
...
snprintf(buf,128,argv[1]);
This code allows an attacker to view the contents of the stack and write to the stack using a command line argument containing a sequence of formatting directives. The attacker can read from the stack by providing more formatting directives, such as %x, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.) By using the %n formatting directive, the attacker can write to the stack, causing snprintf() to write the number of bytes output thus far to the specified argument (rather than reading a value from the argument, which is the intended behavior). A sophisticated version of this attack will use four staggered writes to completely control the value of a pointer on the stack.
例
Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc:
bad C
This code produces the following output: 5 9 5 5 It is also possible to use half-writes (%hn) to accurately control arbitrary DWORDS in memory, which greatly reduces the complexity needed to execute an attack that would otherwise require four staggered writes, such as the one mentioned in the first example.
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2002-1825 | format string in Perl program | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1825 |
| CVE-2001-0717 | format string in bad call to syslog function | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0717 |
| CVE-2002-0573 | format string in bad call to syslog function | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0573 |
| CVE-2002-1788 | format strings in NNTP server responses | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1788 |
| CVE-2006-2480 | Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2480 |
| CVE-2007-2027 | Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2027 |
Notes
Applicable Platform
Other
Research Gap Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Format string vulnerability | ||
| 7 Pernicious Kingdoms | Format String | ||
| CLASP | Format string problem | ||
| CERT C Secure Coding | FIO30-C | Exact | Exclude user input from format strings |
| CERT C Secure Coding | FIO47-C | CWE More Specific | Use valid format strings |
| OWASP Top Ten 2004 | A1 | CWE More Specific | Unvalidated Input |
| WASC | 6 | Format String | |
| The CERT Oracle Secure Coding Standard for Java (2011) | IDS06-J | Exclude user input from format strings | |
| SEI CERT Perl Coding Standard | IDS30-PL | Exact | Exclude user input from format strings |
| Software Fault Patterns | SFP24 | Tainted input to command | |
| OMG ASCSM | ASCSM-CWE-134 |
相关攻击模式
- CAPEC-135
- CAPEC-67