Format String

Occurs when a program uses user-controlled input as the format string parameter in functions like printf, sprintf, fprintf, or scanf without proper validation or sanitization. This vulnerability can allow attackers to read or write arbitrary memory locations, potentially leading to information disclosure, or arbitrary code execution.

When an attacker can modify an externally-controlled format string, this can lead to buffer overflows, denial of service, or data representation problems.

It should be noted that in some circumstances, such as internationalization, the set of format strings is externally controlled by design. If the source of these format strings is trusted (e.g. only contained in library files that are only modifiable by the system administrator), then the external control might not itself pose a vulnerability.

Remediation

Validate that all format string functions receive a static string unaffected by user input.
Ensure correct argument counts.
If possible, prefer using functions that do not support %n operator in format strings

Metadata

Severity: medium
Slug: format-string

CWEs

628: Function Call with Incorrectly Specified Arguments
134: Use of Externally-Controlled Format String

Available Labs

Open C labs in SecDim Play for this vulnerability.

easy

Format String.c

C Easy Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.