CWE-134 Details

CWE-134

Use of Externally-Controlled Format String
Hoch
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Benachrichtigungen verwalten

Name: Use of Externally-Controlled Format String

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Allgemeine Informationen

Einführungsmodi

Implementation : The programmer rarely intends for a format string to be externally-controlled at all. This weakness is frequently introduced in code that constructs log messages, where a constant format string is omitted.
Implementation : In cases such as localization and internationalization, the language-specific message repositories could be an avenue for exploitation, but the format string issue would be resultant, since attacker control of those repositories would also allow modification of message length, format, and content.

Anwendbare Plattformen

Sprache

Class: Not Language-Specific (Undetermined)
Name: C (Often)
Name: C++ (Often)
Name: Perl (Rarely)

Häufige Konsequenzen

Bereich Auswirkung Wahrscheinlichkeit
ConfidentialityRead Memory

Note: Format string problems allow for information disclosure which can severely simplify exploitation of the program.
Integrity
Confidentiality
Availability		Modify Memory, Execute Unauthorized Code or Commands

Note: Format string problems can result in the execution of arbitrary code, buffer overflows, denial of service, or incorrect data representation.

Beobachtete Beispiele

Referenzen Beschreibung

CVE-2002-1825

format string in Perl program

CVE-2001-0717

format string in bad call to syslog function

CVE-2002-0573

format string in bad call to syslog function

CVE-2002-1788

format strings in NNTP server responses

CVE-2006-2480

Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename.

CVE-2007-2027

Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages

Mögliche Gegenmaßnahmen

Phases : Requirements
Choose a language that is not subject to this flaw.
Phases : Implementation
Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
Phases : Build and Compilation
Run compilers and linkers with high warning levels, since they may detect incorrect usage.

Erkennungsmethoden

Automated Static Analysis

This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.

Black Box

Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.
Wirksamkeit : Limited

Automated Static Analysis - Binary or Bytecode

Wirksamkeit : High

Manual Static Analysis - Binary or Bytecode

Wirksamkeit : SOAR Partial

Dynamic Analysis with Automated Results Interpretation

Wirksamkeit : SOAR Partial

Dynamic Analysis with Manual Results Interpretation

Wirksamkeit : SOAR Partial

Manual Static Analysis - Source Code

Wirksamkeit : High

Automated Static Analysis - Source Code

Wirksamkeit : High

Architecture or Design Review

Wirksamkeit : High

Hinweise zur Schwachstellen-Zuordnung

Begründung : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Kommentar : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Verwandte Angriffsmuster

CAPEC-ID Name des Angriffsmusters
CAPEC-135 Format String Injection
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.
CAPEC-67 String Format Overflow in syslog()
This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.

Hinweise



Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc.

Referenzen

REF-116

Format String Vulnerabilities in Perl Programs
Steve Christey.
https://seclists.org/fulldisclosure/2005/Dec/91

REF-117

Programming Language Format String Vulnerabilities
Hal Burch, Robert C. Seacord.
https://drdobbs.com/security/programming-language-format-string-vulne/197002914

REF-118

Format String Attacks
Tim Newsham.
https://seclists.org/bugtraq/2000/Sep/214

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-962

Automated Source Code Security Measure (ASCSM)
Object Management Group (OMG).
http://www.omg.org/spec/ASCSM/1.0/

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Einreichung

Name Organisation Datum Veröffentlichungsdatum Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Änderungen

Name Organisation Datum Kommentar
KDM Analytics 2008-08-01 +00:00 added/updated white box definitions
CWE Content Team MITRE 2008-09-08 +00:00 updated Applicable_Platforms, Common_Consequences, Detection_Factors, Modes_of_Introduction, Relationships, Other_Notes, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities
CWE Content Team MITRE 2008-11-24 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2009-03-10 +00:00 updated Relationships
CWE Content Team MITRE 2009-05-27 +00:00 updated Demonstrative_Examples
KDM Analytics 2009-07-17 +00:00 Improved the White_Box_Definition
CWE Content Team MITRE 2009-07-27 +00:00 updated White_Box_Definitions
CWE Content Team MITRE 2010-02-16 +00:00 updated Detection_Factors, References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-27 +00:00 updated Modes_of_Introduction, Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated Observed_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2014-07-30 +00:00 updated Demonstrative_Examples, Detection_Factors, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2015-12-07 +00:00 updated Description, Modes_of_Introduction, Name, Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Causal_Nature, Functional_Areas, Likelihood_of_Exploit, Other_Notes, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
CWE Content Team MITRE 2018-03-27 +00:00 updated References
CWE Content Team MITRE 2019-01-03 +00:00 updated References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2019-09-19 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Common_Consequences, Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Potential_Mitigations, Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-04-03 +00:00 updated Common_Consequences, Demonstrative_Examples, Description, Diagram, Other_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated Detection_Factors, Functional_Areas, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.