Linux Today: Linux News On Internet Time.

LinuxFocus.org: Avoiding security holes when developing an application - Part 4: format strings

Jul 15, 2001, 19:27 (7 Talkback[s])
(Other stories by Frédéric Raynal, Christophe Blaess, Christophe Grenier)
"With "economy" in mind, this programmer opens a potential hole in his work. He is satisfied with passing a single string as an argument, which he wanted simply to display without any change. However, this string will be parsed to look for directives of formatting (%d, %g...) . When such a format character is discovered, the corresponding argument is looked for in the stack.

We will start introducing the family of printf() functions. At least, we expect everyone knows them ... but not in detail, so we will deal with the lesser known aspects of these routines. Then, we will see how to get the necessary information to exploit such a mistake. Finally, we will show how all this fits together with a single example."

Complete Story