CSE 643 - Computer Security - Format String

Please write a function that takes a variable number of strings as its arguments, and prints out their total length.

#include <stdio.h> #include <stdarg.h> #include <string.h> int string_length(int count, ...) { int i, length = 0; va_list ap; va_start(ap, count); for(i=0; i<count; i++) { length += strlen(va_arg(ap, char*)); } va_end(ap); return length; } int main() { int length = string_length(3, "Hello", "World", "!!"); printf("Total length = %d\n", length); } /* output [09/23/18]seed@VM:~$ gcc strlen.c -o strlen [09/23/18]seed@VM:~$ ./strlen Total length = 12 [09/23/18]seed@VM:~$ */

Both buffer-overflow and format-string vulnerabilities can lead to the modification of the return address field, but the ways how the field is modified are different in these two attacks. Please describe their difference, and comment on which one is less restricted.

Buffer-overflow works by copy a large array of data to another array of much smaller capacity. Since arrays must support pointer arithmetic, they always grow from a lower address to a higher address, even in the stack. This will allow us to overwrite the array all the way to the return address. Format string, uses the flaw in printf() that doesn't enforce that the number of format specifiers be equal to the number of parameters, and will arbitrarily keep moving to the next memory location in the stack until it gets to the return address. Both attacks require user input to work, but format string is less restricted. In buffer overflow, we need to know the size of the array beforehand and copy to it another array of a much bigger size, whereas in format string, the mere presence of a printf() function that uses user input as its format string would suffice.

Can we use the StackGuard idea to protected against format-string attacks?

No. Format-string, unlike buffer overflow, doesn't modify any of the memory locations leading up to the return address, and only modifies the return address. Therefore the stackguard won't work.

If we make the stack non-executable, can we exploit the format string vulnerability to get the victim program to spawn a shell?

No. The attack places a malicious payload in the format string, and has the return address point to that location. Though the return address will be successfully overwritten with a location on the stack, the malicious code won't be executed.

Since printf() does not require any privilege, we can temporarily disable the program's privilege before we execute this statement; this way, even if the format-string vulnerability is exploited, attackers will not be able to gain much privilege. Please comment on this idea.

The attack replaces the return address of the function calling printf() and will actually come into effect only after the function has returned. Merely removing the privilege of printf() isn't going to do much, but we need to remove the privilege before calling the function that calls printf(), and enable it after that function returns.

Compilers can give a warning if it detects that the number of arguments in printf() does not match with the number of format specifiers. Please comment on the limitation of this countermeasure.

Warnings aren't errors, and can be ignored. If you use a switch telling the compiler to ignore the warning, it'll go ahead and compile the code into an executable that you can run, and it's up to the morality of the user if he/she wants to proceed with the attack, and hence isn't much of a countermeasure.

What if we want to write a small number such as 0 to a target address using a format-string vulnerability, but due to the %x's that we have to place in the format string, the number of characters printed out by printf() is already nonzero before the va list pointer reaches the target address. Is it still possible to write 0 to the target address?

Yes. Recall that we use %n or %hn to print the number of characters. %n expects the argument to be of type signed int, and %hn expects argument of type signed short int. signed short int has a range of -32767 to 32768. If we print 32769 characters and then use the specifier %hn, the value printed in the target address will be -32767, and if we print 65536 characters, the value printed in the target address will be zero. This small program demonstrates it. #include <stdio.h> int main() { short int count = 0; printf("%65536d%hn", 10, &count); printf("\n%d\n", count); return 0; } /* output [09/23/18]seed@VM:~$ ./test . lots of empty lines here . . 10 0 [09/23/18]seed@VM:~$ ./test