Florian Weimer <[EMAIL PROTECTED]> writes:
> The issue arrases in programs that pass attacker-controlled data as
> the format string. They use
>
> printf(some_string);
> syslog(LOG_INFO, some_string);
>
> instead of
>
> printf("%s", some_string);
> syslog(LOG_INFO, "%s", some_string);
>
> The main point of this attack is to embed target addresses in the
> format string and add conversion specifications so that "%n" picks up
> these addresses. On a machine that supports unaligned memory
> accesses, you can use a sequence of overlapping writes to put
> arbitrary contents into arbitrary memory locations.
This is off-topic, but:
There are many other difficulties when the attacker can control the
format string, so that is what should be prevented, which you can do
with compiler analysis and runtime checks.
At the very least there should be a compiler option for standard
conformant behaviour in this area. I didn't see one in the MSDN docs.
I would say that gets is much more dangerous than %n in printf, but
presumably Microsoft does not disable gets.
Ian
