The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
View on MITREFormat string problems allow for information disclosure which can severely simplify exploitation of the program.
Format string problems can result in the execution of arbitrary code, buffer overflows, denial of service, or incorrect data representation.
Choose a language that is not subject to this flaw.
Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
Run compilers and linkers with high warning levels, since they may detect incorrect usage.
Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis Cost effective for partial coverage: Binary / Bytecode simple extractor - strings, ELF readers, etc.
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Manual Source Code Review (not inspections) Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer Cost effective for partial coverage: Warning Flags
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Formal Methods / Correct-By-Construction Cost effective for partial coverage: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
The following program prints a string provided as an argument.
The example is exploitable, because of the call to printf() in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple.
The following code copies a command line argument into a buffer using snprintf().
This code allows an attacker to view the contents of the stack and write to the stack using a command line argument containing a sequence of formatting directives. The attacker can read from the stack by providing more formatting directives, such as %x, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.) By using the %n formatting directive, the attacker can write to the stack, causing snprintf() to write the number of bytes output thus far to the specified argument (rather than reading a value from the argument, which is the intended behavior). A sophisticated version of this attack will use four staggered writes to completely control the value of a pointer on the stack.
Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc:
This code produces the following output: 5 9 5 5 It is also possible to use half-writes (%hn) to accurately control arbitrary DWORDS in memory, which greatly reduces the complexity needed to execute an attack that would otherwise require four staggered writes, such as the one mentioned in a separate example.
Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename.
View DetailsChain: untrusted search path enabling resultant format string by loading malicious internationalization messages
View DetailsNo relationship information available for this CWE.
CWE-134: Use of Externally-Controlled Format String is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
If exploited, CWE-134 (Use of Externally-Controlled Format String) it can compromise Confidentiality, Integrity and Availability, leading to outcomes such as Read Memory, Modify Memory and Execute Unauthorized Code or Commands.
Recommended mitigations for CWE-134 include: Choose a language that is not subject to this flaw. Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117] Run compilers and linkers with high warning levels, since they may detect incorrect usage.
CWE-134 can be detected using Black Box, Automated Static Analysis - Binary or Bytecode, Manual Static Analysis - Source Code, Automated Static Analysis - Source Code and Architecture or Design Review. Combining automated tooling with manual review typically yields the best coverage.
CWE-134 commonly affects C, C++ and Perl. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-134, including CVE-2002-1825, CVE-2001-0717, CVE-2002-0573, CVE-2002-1788 and CVE-2006-2480. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-134 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.