“The cause and implications of format string vulnerabilities are
discussed. Practical examples are given to illustrate the
principles presented.”
“Format string bugs come from the same dark corner as many
other security holes: The laziness of programmers. Somewhere
out there right now, as this document is being read, there is a
programmer writing code. His task: to print out a string or copy it
to some buffer. What he means to write is something like:
printf("%s", str);
but instead he decides that he can save time,
effort and 6 bytes of source code by typing:
printf(str);
Why not? Why bother with the extra printf argument
and the time it takes to parse through that silly format? The first
argument to printf is a string to be printed anyway!
Because the programmer has just unknowingly opened a security hole
that allows an attacker to control the execution of the program,
that’s why!”