[Forgot Password]
Login  Register Subscribe












Paid content will be excluded from the download.

Download | Alert*
view XML

Uncontrolled Format String

ID: 134Date: (C)2012-05-14   (M)2020-05-26
Type: weaknessStatus: DRAFT
Abstraction Type: Base


The software uses externally-controlled format strings in printf-style functions, which can lead to buffer overflows or data representation problems.

Likelihood of Exploit: Very High

Applicable Platforms
Language: Often
Language: C
Language: Often
Language: C++
Language: Rarely
Language: Perl
Language Class: Languages that support format strings

Time Of Introduction

  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Read memory
Format string problems allow for information disclosure which can severely simplify exploitation of the program.
Execute unauthorized code or commands
Format string problems can result in the execution of arbitrary code.

Detection Methods

Automated Static Analysis
This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.
Black Box
Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.

Potential Mitigations

 Choose a language that is not subject to this flaw.
 Ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [R.134.1] [R.134.2]
Build and Compilation
 Heed the warnings of compilers and linkers, since they may alert you to improper usage.


Related CWETypeViewChain
CWE-134 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc:
  2. The following code copies a command line argument into a buffer using snprintf().
  3. The following example is exploitable, due to the printf() call in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple.

Observed Examples

  1. CVE-2002-1825 : format string in Perl program
  2. CVE-2001-0717 : format string in bad call to syslog function
  3. CVE-2002-0573 : format string in bad call to syslog function
  4. CVE-2002-1788 : format strings in NNTP server responses
  5. CVE-2006-2480 : Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename.
  6. CVE-2007-2027 : Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
A weakness where the code path has:
1. start statement that accepts input
2. end statement that passes a format string to format string function where
a. the input data is part of the format string and
b. the format string is undesirable
Where "undesirable" is defined through the following scenarios:
1. not validated
2. incorrectly validated

Black Box Definitions

Taxynomy Mappings

PLOVER  Format string vulnerability
7 Pernicious Kingdoms  Format String
CLASP  Format string problem
CERT C Secure Coding FIO30-C
Exclude user input from format strings
OWASP Top Ten 2004 A1
Unvalidated Input
CERT C Secure Coding FIO30-C
Exclude user input from format strings
Format String
CERT Java Secure Coding IDS06-J
Exclude user input from format strings
CERT C++ Secure Coding FIO30-CPP
Exclude user input from format strings


  1. Steve Christey .Format String Vulnerabilities in Perl Programs.
  2. Hal Burch Robert C. Seacord .Programming Language Format String Vulnerabilities.
  3. Tim Newsham .Format String Attacks. Guardent. Published on September 2000.
  4. M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 5, "Format String Bugs" Page 147'. Published on 2002.
  5. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 6: Format String Problems." Page 109'. Published on 2010.
  6. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 8, "C Format Strings", Page 422.'. Published on 2006.
CVE    229

© SecPod Technologies