Format String Vulnerability
What are Format String Attacks on Websites?
Programming languages often allow users to format output in various ways, or to insert one piece of data into another via a formatted string. A common example in system programming is displaying output to a user. You might have a print line function which also prints some user data to the screen:
printf("Welcome %s!", username);
If a user enters something like John, we would see the following output to the screen: "Welcome John!". However, if the input to the username variable is not validated, then a malicious attacker could execute what is known as a format string attack. The printf function shown above allows a number of control characters (like %s) to define the format of the data expected. If an attacker can insert additional control characters into the string, printf may look for data to insert into those placeholders, potentially reading in memory locations, or even executing arbitrary code.
Many discussions of format string attack vectors happen in the desktop software community, where older C commands such as printf are more common. However these functions have migrated to the internet as well, although most format string examples are more obscure then the one given above.
How Does this Impact my Security?
Format String attack vectors can lead to denial of service attacks in some cases as they can be used to corrupt memory on the server (which often leads to your webserver, such as IIS or Apache, crashing). In some cases, format string attacks can be used to steal data, or execute arbitrary code. Arbitrary code execution could allow an attacker to gain control of the webserver.
Preventing Format String Vulnerabilities
Format string attacks come about due to improperly escaped user input passed to a function which uses String formatters. This does not necessarily mean data sent back to the user or the screen, but could also be used in database calls, logging functions, or system calls. Usually, a percent sign (%) is used to indicate a string formatter, so escaping all % signs is a good place to start.
Generally, functions are hardened against format strings as they are discovered. In PHP, for example, the latest updates provide protection against recently discovered format string attack vectors. Updating your scripting language version to the latest version will generally provide the most protection against these kinds of attacks. Keep in mind, however, that code base upgrades may require changes in your existing application, so should be thoroughly tested before implementation.
Additional Resources
Find Format String Attack Vectors on Your Website