3

I have been working on input validation vulnerabilities and very new to Uncontrolled Format String Vulnerabilities, as I learned so far its usually exploited through printf functions with "%".

I also saw that JavaScript (Node.JS) supports format strings by using sprintf functions.

Is it possible to perform Format String attacks in JavaScript, because in CWE it is only mentioned that it is rarely seen in Perl, oftenly in C and C++. If it is possible are there any examples or any source that I can find.

I tried myself with a simple example but it end up with an error expecting number but found string "Bob"

var val = "Bob"
console.log(sprintf('The %x ran around the tree', val));

I am not sure if I am doing it right, any help would be great.

Thanks in advance

AviD
  • 72,138
  • 22
  • 136
  • 218
Ekin
  • 163
  • 1
  • 5

1 Answers1

1

No, these are not possible in Node.js as sprintf is a basic string formatting utility. This is now built into the language as util.format.

As per the documentation, this function only supports basic formatting such as %s, %d and %j. There is no way of retrieving a pointer value using %p, hex formatting it using %x or outputting the number of characters using %n, which is where the vulnerability lies in C. C documentation on the formatting options here.

C is a native language, so it is possible to cause a buffer overflow using string format. However, Node.js is a managed language and it is not possible to directly control registers, therefore you won't get the same type of vulnerabilities here.

See here for some format string exploit examples.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178