* Ian Lance Taylor:
> What is the security issue here?
The issue arrases in programs that pass attacker-controlled data as
the format string. They use
printf(some_string);
syslog(LOG_INFO, some_string);
instead of
printf("%s", some_string);
syslog(LOG_INFO, "%s", some_string);
The main point of this attack is to embed target addresses in the
format string and add conversion specifications so that "%n" picks up
these addresses. On a machine that supports unaligned memory
accesses, you can use a sequence of overlapping writes to put
arbitrary contents into arbitrary memory locations.
