Hi, in our C secure code development series, we will examine the vulnerability through sample applications by focusing on the format string vulnerability, which is one of the known vulnerability types in the exploit development community. First of all, let's understand the concept of format string through examples.
Our previous topics:
https://www.turkhackteam.org/konular/c-guvenli-kod-gelistirme-stack-overflow-zafiyeti.2013720/
https://www.turkhackteam.org/konula...-overflow-memory-leak-use-after-free.2014350/
Now what's going on with this code? The variable A holds a value of type integer. We will print this value to the screen with the printf method and we print it by specifying the format of this value and we do this with the %i value, which is the format specifier here. In other words, we ensure that the format of the value to be presented as output is integer. In other words, our style markers here provide the desired interpretation of the binary data in memory. We can understand this more clearly with the following example.
Look, our variable a holds the value of 10.5, but we print it in integer format and it prints the full number on the screen.
Now that I changed the code like this, what do you think will print? We have a variable of type Int and it holds a character in it. Then we format the variable with the character and print it on the screen.
Now I stop with the breakpoint without printing the value to the screen and see its value in memory. There is an integer variable that holds the character sequence 'A' and the value it holds in it is the decimal equivalent of the letter A. Then I format it with %c, so I say I want to see it in character formatting.
I say step over and process the next line and as a result I can see the character formatted version of the corresponding decimal value. You can query such examples by applying them yourself, I wanted to illustrate the format string event a little without mentioning the format string vulnerability. Finally, let's examine the printf method here.
Our printf function, which is located under the stdio.h library, takes the string to be sent to stdout in the first parameter and then retrieves the optionally formatted values.
So that's how we can see it.
Format Strings Abuse
In fact, at the end of the day, we come to the subject that we will talk about as a vulnerability. We will see how these format specifiers, which we call format specifiers, are used as an exploitation technique in a possible vulnerability. Let's simply go from the ground up.
Now I've entered the subject with a very simple example. Look, there is no variable to output, but I print the %x token with printf three times and I see three addresses on the screen. Here the token x % offers us hexadecimal values. So he read and wrote three values from the stack. Has anything come to life in your head? E since we can read the value in a possible vulnerability, let's squeeze this token between and take advantage of it, right?
I took this example directly from Format One :: Andrew Griffiths' Exploit Education here, which is basically an example where you can understand this phenomenon.
You know, I just said x%, a stylistic specifier that allows reading data from memory, and in this example, it puts a finger on that.
Here you have read the description and the indian part. The explanation is no different from what I said above. In the Indian part, objdump says your aide-de-camp. Here, let me first explain the source code to you and find the point of vulnerability. A variable called int target takes up space in the defined stack and a halta does not take up space. The vuln function is then a function that does not return a value of type void and expects a value of type char as an argument. In it, he prints the argument that comes to him with printf. It then checks the value of the target variable and generates a message that you have modified it. In the main function, the vuln function is called and the argument is given in it. In short, when you run the program by giving an argument, the vuln function in main will be triggered and it will perform the task of printing on the screen by operating the printf method.
Now if you pay attention here, printf prints the incoming argument directly and no format specifier is used, and at this point we are in a situation where we can perform operations by adding specifiers. Because it will take it as an argument and process it. At this point, the format string weakness occurs.
E prints this too. In other words, at this point, we have determined the vulnerability. So we abuse it by taking advantage of the blessings of format specifiers.
We can exemplify it as follows. So what happened is that we went back to the printf(%x) example that I mentioned in the abuse. This program is doing that right now.
After that, if we obtain the value of the relevant target variable in memory with objdump and write the value we want with the %n token to this value, we will modify the target variable and exploit the vulnerability.
In this way, with printf, we specify the type of our output as string and write secure code.
The essence is to trust the input from the user and control it. It's like XSS vulnerability, doesn't it? output encoding or something?
Thanks for reading.
Translator: @ByFelez
Subject Author: @Pentester
Subject: https://www.turkhackteam.org/konular/c-guvenli-kod-gelistirme-format-string-zafiyeti.2015852/
Our previous topics:
https://www.turkhackteam.org/konular/c-guvenli-kod-gelistirme-stack-overflow-zafiyeti.2013720/
https://www.turkhackteam.org/konula...-overflow-memory-leak-use-after-free.2014350/
Now what's going on with this code? The variable A holds a value of type integer. We will print this value to the screen with the printf method and we print it by specifying the format of this value and we do this with the %i value, which is the format specifier here. In other words, we ensure that the format of the value to be presented as output is integer. In other words, our style markers here provide the desired interpretation of the binary data in memory. We can understand this more clearly with the following example.
Look, our variable a holds the value of 10.5, but we print it in integer format and it prints the full number on the screen.
Now that I changed the code like this, what do you think will print? We have a variable of type Int and it holds a character in it. Then we format the variable with the character and print it on the screen.
Now I stop with the breakpoint without printing the value to the screen and see its value in memory. There is an integer variable that holds the character sequence 'A' and the value it holds in it is the decimal equivalent of the letter A. Then I format it with %c, so I say I want to see it in character formatting.
I say step over and process the next line and as a result I can see the character formatted version of the corresponding decimal value. You can query such examples by applying them yourself, I wanted to illustrate the format string event a little without mentioning the format string vulnerability. Finally, let's examine the printf method here.
Our printf function, which is located under the stdio.h library, takes the string to be sent to stdout in the first parameter and then retrieves the optionally formatted values.
So that's how we can see it.
Format Strings Abuse
In fact, at the end of the day, we come to the subject that we will talk about as a vulnerability. We will see how these format specifiers, which we call format specifiers, are used as an exploitation technique in a possible vulnerability. Let's simply go from the ground up.
Now I've entered the subject with a very simple example. Look, there is no variable to output, but I print the %x token with printf three times and I see three addresses on the screen. Here the token x % offers us hexadecimal values. So he read and wrote three values from the stack. Has anything come to life in your head? E since we can read the value in a possible vulnerability, let's squeeze this token between and take advantage of it, right?
I took this example directly from Format One :: Andrew Griffiths' Exploit Education here, which is basically an example where you can understand this phenomenon.
You know, I just said x%, a stylistic specifier that allows reading data from memory, and in this example, it puts a finger on that.
Here you have read the description and the indian part. The explanation is no different from what I said above. In the Indian part, objdump says your aide-de-camp. Here, let me first explain the source code to you and find the point of vulnerability. A variable called int target takes up space in the defined stack and a halta does not take up space. The vuln function is then a function that does not return a value of type void and expects a value of type char as an argument. In it, he prints the argument that comes to him with printf. It then checks the value of the target variable and generates a message that you have modified it. In the main function, the vuln function is called and the argument is given in it. In short, when you run the program by giving an argument, the vuln function in main will be triggered and it will perform the task of printing on the screen by operating the printf method.
Now if you pay attention here, printf prints the incoming argument directly and no format specifier is used, and at this point we are in a situation where we can perform operations by adding specifiers. Because it will take it as an argument and process it. At this point, the format string weakness occurs.
E prints this too. In other words, at this point, we have determined the vulnerability. So we abuse it by taking advantage of the blessings of format specifiers.
We can exemplify it as follows. So what happened is that we went back to the printf(%x) example that I mentioned in the abuse. This program is doing that right now.
After that, if we obtain the value of the relevant target variable in memory with objdump and write the value we want with the %n token to this value, we will modify the target variable and exploit the vulnerability.
In this way, with printf, we specify the type of our output as string and write secure code.
The essence is to trust the input from the user and control it. It's like XSS vulnerability, doesn't it? output encoding or something?
Thanks for reading.
Translator: @ByFelez
Subject Author: @Pentester
Subject: https://www.turkhackteam.org/konular/c-guvenli-kod-gelistirme-format-string-zafiyeti.2015852/
