On Thu, Jun 07, 2007 at 10:36:43AM +0200, Florian Weimer wrote:
> * Ian Lance Taylor:
>
> > What is the security issue here?
>
> The issue arrases in programs that pass attacker-controlled data as
> the format string. They use
>
> printf(some_string);
> syslog(LOG_INFO, some_string);
>
> instead of
>
> printf("%s", some_string);
> syslog(LOG_INFO, "%s", some_string);
>
> The main point of this attack is to embed target addresses in the
> format string and add conversion specifications so that "%n" picks up
> these addresses. On a machine that supports unaligned memory
> accesses, you can use a sequence of overlapping writes to put
> arbitrary contents into arbitrary memory locations.
FYI, glibc limits %n as well in -D_FORTIFY_SOURCE=2 mode, though %n
is only barfed on if the format string containing it is in writable
memory. So
printf ("%s%n", some_string, &n);
or
printf (_("foo %s%n"), some_string, &n);
is ok even with -D_FORTIFY_SOURCE=2, but e.g.
char buf[20];
strcpy (buf, "%s%n");
printf (buf, some_string, &n);
will result with -D_FORTIFY_SOURCE=2 into immediate program termination.
This violates ISO C, but a) -D_FORTIFY_SOURCE=2 (unlike =1) is meant
to impose additional restrictions b) having %n in writable memory
is rarely needed (of course unless you are trying to exploit something)
Jakub
