| Name |
String Format Overflow in syslog() |
|
| Likelyhood of attack |
Typical severity |
| High |
Very High |
|
| Summary |
This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function. |
| Prerequisites |
The Syslog function is used without specifying a format string argument, allowing user input to be placed direct into the function call as a format string. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Identify target application] The adversary identifies a target application or program to perform the buffer overflow on. In this attack, adversaries look for applications that use syslog() incorrectly. |
|
| 2 |
Experiment |
[Find injection vector] The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer. For each user-controllable input that the adversary suspects is vulnerable to format string injection, attempt to inject formatting characters such as %n, %s, etc.. The goal is to manipulate the string creation using these formatting characters. |
- Inject probe payload which contains formatting characters (%s, %d, %n, etc.) through input parameters.
|
| 3 |
Experiment |
[Craft overflow content] The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary. |
- The formatting characters %s and %d are useful for observing memory and trying to print memory addresses. If an adversary has access to the log being written to they can observer this output and use it to help craft their attack.
- The formatting character %n is useful for adding extra data onto the buffer.
|
| 4 |
Exploit |
[Overflow the buffer] Using the injection vector, the adversary supplies the program with the crafted format string injection, causing a buffer. |
|
|
| Solutions | The following code shows a vulnerable usage of Syslog():
syslog(LOG_ERR, cmdBuf);
// the buffer cmdBuff is taking user supplied data. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-20 |
Improper Input Validation |
| CWE-74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| CWE-134 |
Use of Externally-Controlled Format String |
| CWE-680 |
Integer Overflow to Buffer Overflow |
| CWE-697 |
Incorrect Comparison |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-100 |
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice. |
| CAPEC-135 |
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack. |
|
| Taxonomy: WASC |
|
Entry ID
|
Entry Name
|
| 06 |
Format String |
|