Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
3. String Format<br />
Presentation<br />
String formats, more commonly called format chains, are variables <strong>of</strong> the character chain type<br />
destined to undergo a certain formatting or data arranging in C language. This type <strong>of</strong> chain can cause<br />
a number <strong>of</strong> problems; it can compromise the execution flow <strong>of</strong> a vulnerable program, this is what is<br />
called a bug format or a format bug.<br />
Origins<br />
Bug formats are quite <strong>of</strong>ten the result <strong>of</strong> a bad usage <strong>of</strong> printf type functions (printf, fprintf, sprintf,<br />
snprintf). A program can be compromised from the moment a format chain can be controlled by the<br />
user. This type <strong>of</strong> vulnerability is therefore due to a programming error, just as buffer overflow type<br />
vulnerabilities can be, for example.<br />
Functioning <strong>of</strong> printf type functions.<br />
Let us now analyse the functioning <strong>of</strong> printf type functions. To do this, we can use the following<br />
example:<br />
void main(){<br />
int i = 3;<br />
float f = 2.5;<br />
char chain[]="character chain";<br />
}<br />
printf("i = %d, f = %f, chain = %s\n",i,f,chain);<br />
return;<br />
bash# ./prog<br />
i = 3, f = 2.50000, chain = character chain.<br />
bash#<br />
From an assembler point <strong>of</strong> view, printf function arguments are placed on the pile:<br />
push chain<br />
push f<br />
push i<br />
push "i = %d, ..."<br />
call printf<br />
The <strong>Hack</strong>ademy DMP -153/209- SYSDREAM