CWE-134 使用外部控制的格式字符串

Use of Externally-Controlled Format String

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: High

基本描述

The software uses a function that accepts a format string as an argument, but the format string originates from an external source.

扩展描述

When an attacker can modify an externally-controlled format string, this can lead to buffer overflows, denial of service, or data representation problems.

It should be noted that in some circumstances, such as internationalization, the set of format strings is externally controlled by design. If the source of these format strings is trusted (e.g. only contained in library files that are only modifiable by the system administrator), then the external control might not itself pose a vulnerability.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 668 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 668 cwe_View_ID: 1003 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 668 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: CanPrecede cwe_CWE_ID: 123 cwe_View_ID: 1000

  • cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 700 cwe_Ordinal: Primary

适用平台

Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Often'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Often'}, {'cwe_Name': 'Perl', 'cwe_Prevalence': 'Rarely'}]

常见的影响

范围 影响 注释
Confidentiality Read Memory Format string problems allow for information disclosure which can severely simplify exploitation of the program.
['Integrity', 'Confidentiality', 'Availability'] Execute Unauthorized Code or Commands Format string problems can result in the execution of arbitrary code.

检测方法

DM-1 Automated Static Analysis

This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.

Black Box

Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.

Automated Static Analysis - Binary or Bytecode

According to SOAR, the following detection techniques may be useful:

Highly cost effective:
  • Bytecode Weakness Analysis - including disassembler + source code weakness analysis
  • Binary Weakness Analysis - including disassembler + source code weakness analysis
Cost effective for partial coverage:
  • Binary / Bytecode simple extractor – strings, ELF readers, etc.

Manual Static Analysis - Binary or Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies

Dynamic Analysis with Automated Results Interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Web Application Scanner
  • Web Services Scanner
  • Database Scanners

Dynamic Analysis with Manual Results Interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Fuzz Tester
  • Framework-based Fuzzer

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Highly cost effective:
  • Manual Source Code Review (not inspections)
Cost effective for partial coverage:
  • Focused Manual Spotcheck - Focused manual analysis of source

Automated Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Highly cost effective:
  • Source code Weakness Analyzer
  • Context-configured Source Code Weakness Analyzer
Cost effective for partial coverage:
  • Warning Flags

Architecture or Design Review

According to SOAR, the following detection techniques may be useful:

Highly cost effective:
  • Formal Methods / Correct-By-Construction
Cost effective for partial coverage:
  • Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

可能的缓解方案

Requirements

策略:

Choose a language that is not subject to this flaw.

Implementation

策略:

Ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Build and Compilation

策略:

Heed the warnings of compilers and linkers, since they may alert you to improper usage.

示例代码

The following program prints a string provided as an argument.

bad C

#include <stdio.h>

void printWrapper(char string) {

printf(string);
}

int main(int argc, char
*argv) {

char buf[5012];
memcpy(buf, argv[1], 5012);
printWrapper(argv[1]);
return (0);
}

The example is exploitable, because of the call to printf() in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple.

The following code copies a command line argument into a buffer using snprintf().

bad C

int main(int argc, char **argv){
char buf[128];
...
snprintf(buf,128,argv[1]);
}

This code allows an attacker to view the contents of the stack and write to the stack using a command line argument containing a sequence of formatting directives. The attacker can read from the stack by providing more formatting directives, such as %x, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.) By using the %n formatting directive, the attacker can write to the stack, causing snprintf() to write the number of bytes output thus far to the specified argument (rather than reading a value from the argument, which is the intended behavior). A sophisticated version of this attack will use four staggered writes to completely control the value of a pointer on the stack.

Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc:

bad C

printf("%d %d %1$d %1$d\n", 5, 9);

This code produces the following output: 5 9 5 5 It is also possible to use half-writes (%hn) to accurately control arbitrary DWORDS in memory, which greatly reduces the complexity needed to execute an attack that would otherwise require four staggered writes, such as the one mentioned in the first example.

分析过的案例

标识 说明 链接
CVE-2002-1825 format string in Perl program https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1825
CVE-2001-0717 format string in bad call to syslog function https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0717
CVE-2002-0573 format string in bad call to syslog function https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0573
CVE-2002-1788 format strings in NNTP server responses https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1788
CVE-2006-2480 Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2480
CVE-2007-2027 Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2027

Notes

Applicable Platform

Other

Research Gap Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Format string vulnerability
7 Pernicious Kingdoms Format String
CLASP Format string problem
CERT C Secure Coding FIO30-C Exact Exclude user input from format strings
CERT C Secure Coding FIO47-C CWE More Specific Use valid format strings
OWASP Top Ten 2004 A1 CWE More Specific Unvalidated Input
WASC 6 Format String
The CERT Oracle Secure Coding Standard for Java (2011) IDS06-J Exclude user input from format strings
SEI CERT Perl Coding Standard IDS30-PL Exact Exclude user input from format strings
Software Fault Patterns SFP24 Tainted input to command
OMG ASCSM ASCSM-CWE-134

相关攻击模式

  • CAPEC-135
  • CAPEC-67

引用