NOTE The \ is handled by the compiler and used to escape the next
character after the \. This is a way to present special characters to a program
and not have them interpreted literally. However, if a \x is encountered, then
the compiler expects a number to follow and the compiler converts that
number to its hex equivalent before processing.
Implications
The implications of this problem are profound indeed. In the best case, the stack value
may contain a random hex number that may be interpreted as an out-of-bounds address
by the format string, causing the process to have a segmentation fault. This could possibly
lead to a denial-of-service condition to an attacker.
However, if the attackers are careful and skillful, they may be able to use this fault to
both read arbitrary data and write data to arbitrary addresses. In fact, if the attackers can
overwrite the correct location in memory, they may be able to gain root privileges.
Figure 8-1
Depiction of the
stack when
printf() is
executed
Example Vulnerable Program
For the remainder of this section, we will use the following piece of vulnerable code to
demonstrate the possibilities:
//fmtstr.c
#include
int main(int argc, char *argv[]){
static int canary=0; // stores the canary value in .
Pages:
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348