IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [format-string]

The format strings in functions like "printf" specifies a method for rendering an arbitrary number of varied data type parameters into a string.

printf("The desired number is %d",2014)

format string = The desired number is %d

format string vulnerabilities can be used to view process memory, dump the stack and read from/write to arbitrary memory addresses.

40 questions
12
votes
3 answers

Are there any Security Concerns to using Python F Strings with User Input

Background A while ago I started using F strings in Python but remembered seeing some security concerns with using them with user input so I have made a point of not using them for those situations. Question Are there security concerns to using…
MikeSchem
  • 2,266
  • 1
  • 13
  • 33
8
votes
1 answer

Can I do a String Format Exploit for x64 systems?

I was trying to replicate the experiment in Gray Hat Hacking - Third Edition, Chapter 12, about Format String Exploits, but their architecture is IA32, while mine is AMD 64bits. Therefore when I check for values in stack with commands like: $…
Fernando Pérez
  • 133
  • 2
  • 7
6
votes
2 answers

PHP sprintf vulnerability?

On some sites such as WriteCodeOnline, sprintf, vsprintf and other related formatted string functions are disabled for security reasons: Warning: vsprintf() has been disabled for security reasons on line 1 I'm wondering what these security reasons…
rink.attendant.6
  • 2,227
  • 4
  • 22
  • 33
5
votes
2 answers

What kind of bugs can be found by dumb fuzzing a desktop app?

I'm just starting out to learn about fuzzing and have made a dumb fuzzer that changes several random bytes in a pdf file to random values, opens it and detects if Acrobat Reader has crashed. What types of bugs can I expect to find using such a…
pineappleman
  • 2,279
  • 11
  • 21
5
votes
1 answer

Will Intel's MPX extension make C/C++ completely safe to use?

This is apparently an extension that will eliminate buffer overflow and format string vulnerabilities in C/C++ programs, I would guess by providing hardware support for, e.g. converting scanf to fgets automatically, or something along those lines. …
Zen Hacker
  • 571
  • 1
  • 3
  • 11
4
votes
1 answer

Help with Format String Exploit

I am working on a 32-bit binary which reads an input from the user and uses that input as a format string for printf. I need to overwrite a specific address with a single byte. The issue is that I am not able to overwrite the address with the…
Neon Flash
  • 929
  • 2
  • 11
  • 17
4
votes
1 answer

Overwrite return adress with a format string vulnerability without gdb

I try exploit a format string in a vulnerable program. For information, it is the lab4A of the RPIsec course. The NX protection and ASLR is disable but the program is FULL RELRO. So my idea, it is to overwrite the ret address to execute my…
salt
  • 259
  • 2
  • 11
4
votes
0 answers

CSAW 2012 challenge2 can't get shell out side of gdb

I tried to solve this problem. I found FSB at 0x08048bfe _snprintf. I loaded shell code by \n. ssc function checks whether user input include /bin/sh. Most of shell code includes /bin/sh. I found ssc function checks only string before \n. I used…
Damotorie
  • 141
  • 2
3
votes
2 answers

A runtime sometimes converts string arguments (or string returns) from WTF-16 to UTF-16 between functions in a call stack. Is this a security concern?

Suppose that we have this code (in TypeScript syntax): function one(str: string): string { // do something with the string return str } function two() { let s = getSomeString() // returns some unknown string that may contain surrogates s =…
trusktr
  • 61
  • 9
3
votes
1 answer

Does StackGuard prevent Format String Attacks

I am aware that Format String Attacks work by having a vulnerable function which allows the user to read values from the stack using %x and write by using %n. Since one of the goals of a Format String Attack can be to overwrite the address of a…
IamOptimus
  • 131
  • 1
3
votes
1 answer

How to Leak Addresses with Format String Exploits

By playing various wargames I noticed that I kept on getting stuck on format strings vulnerabilities, so I decided to step back and relearn them from scratch. In the process I realized that I couldn't explain to myself why we can read / write to…
shxdow
  • 123
  • 2
  • 8
3
votes
2 answers

Segmentation fault trying to exploit printf vulnerability

I am trying to learn more about printf vulnerability. I understand the theory but I am unable to put it into practice. TL;DR All my attempts to write a single byte into memory result in a Segmentation fault. What is the most likely reason for the…
vitaly
  • 81
  • 1
  • 7
3
votes
1 answer

Uncontrolled Format String Vulnerability in JavaScript

I have been working on input validation vulnerabilities and very new to Uncontrolled Format String Vulnerabilities, as I learned so far its usually exploited through printf functions with "%". I also saw that JavaScript (Node.JS) supports format…
Ekin
  • 163
  • 1
  • 5
3
votes
1 answer

Sudo debug function vulneability

I am quite stuck with an assignment question, exploiting vulnerability (vfprintf) in sudo_debug function with ASLR (CVE: 2012-0809). I can only use string format exploits. ONLY ASLR IS ENABLED < NO FORTIFY_SOURCE I must overwrite the value of…
fida
  • 39
  • 1
2
votes
1 answer

What is the ideal HMAC message format if message is an array?

I'm using HMAC exactly as intended to verify the integrity of a message. However, the message is really an associative array (or a hash). Since this will be done on various platforms (within and outside our control), we need a standard way to…
Nemo
  • 1,567
  • 1
  • 13
  • 11
1
2 3