|
|
|
|
|
|
by aweinstock
3580 days ago
|
|
|
Attacker-controlled format strings are very convenient bugs, but they can't do everything.
Consider the program: int main() {
char buf[20];
fgets(buf, sizeof buf, stdin);
printf(buf);
return 0;
}
An attacker writing to the program's stdin can read at offsets to the stack (e.g. "%42$x"), read the contents of arbitrary non-null memory (e.g. "ABCD%5$s", where ABCD is a 32-bit memory address, and 5 is the positional parameter corresponding to the start of buf), and write an arbitrary value to an arbitrary address (e.g. "ABCD%38x%5$n", to write the value 42 to address 0x44434241).A significant limitation of the vulnerability in the above program is the attacker can't, in a single execution of the program, read a value, then do computations on it locally, then write a value based on those computations. This flexibility is needed in order to bypass ASLR. |
|
|