1. Authentication
- Brute Force
- Insufficient Authentication
- Weak Password Recovery Validation
2. Authorization
- Credential/Session Prediction
- Insufficient Authorization
- Insufficient Session Expiration
- Session Fixation
3. Client-side Attacks
- Content Spoofing
- Cross-site Scripting
4. Command Execution
- Buffer Overflow
- Format String Attack
- LDAP Injection
- OS Commanding
- SQL Injection
- SSI Injection
- XPath Injection
5. Information Disclosure
- Directory Indexing
- Information Leakage
- Path Traversal
- Predictable Resource Location
6. Logical Attacks
- Abuse of Functionality
- Denial of Service
- Insufficient Anti-automation
- Insufficient Process Validation
|
|
Format String Attacks
Format String Attacks alter the flow of an application by using string
formatting library features to access other memory space.
Vulnerabilities occur when user-supplied data are used directly as
formatting string input for certain C/C++ functions (e.g. fprintf,
printf, sprintf, setproctitle, syslog, ...).
If an attacker passes a format string consisting of printf conversion
characters (e.g. "%f", "%p", "%n", etc.) as parameter value to the web
application, they may:
- Execute arbitrary code on the server
- Read values off the stack
- Cause segmentation faults / software crashes
Example
Lets assume that a web application has a parameter
emailAddress, dictated by the user. The application prints the
value of this variable by using the printf function:
printf(emailAddress);
If the value sent to the emailAddress parameter contains
conversion characters, printf will parse the conversion characters
and use the additionally supplied corresponding arguments. If no
such arguments actually exist, data from the stack will be used in
accordance to the order expected by the printf function.
The possible uses of the Format String Attacks in such a case can
be:
- Read data from the stack: If the output stream of the printf
function is presented back to the attacker, he may read values
on the stack by sending the conversion character "%x" (one or
more times).
- Read character strings from the process' memory: If the output
stream of the printf function is presented back to the attacker,
he can read character strings at arbitrary memory locations by
using the "%s" conversion character (and other conversion
characters in order to reach specific locations).
- Write an integer to locations in the process' memory: By using
the "%n" conversion character, an attacker may write an integer
value to any location in memory. (E.g. overwrite important
program flags that control access privileges, or overwrite return
addresses on the stack, etc.)
References
"(Maybe) the first publicly known Format Strings exploit"
http://archives.neohapsis.com/archives/bugtraq/1999-q3/1009.html
"Format string input validation error in wu-ftpd site_exec() function"
http://www.kb.cert.org/vuls/id/29823
To receive your Free Application
Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $1999.00 for a second Format String Attacks attack vulnerability test.
|