CWE-134 Detail

CWE-134

Use of Externally-Controlled Format String
Alto
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifiche per un CWE specifico
Rimani informato su qualsiasi modifica relativa a un CWE specifico.
Gestione notifiche

Nome: Use of Externally-Controlled Format String

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

General Informations

Modes Of Introduction

Implementation : The programmer rarely intends for a format string to be externally-controlled at all. This weakness is frequently introduced in code that constructs log messages, where a constant format string is omitted.
Implementation : In cases such as localization and internationalization, the language-specific message repositories could be an avenue for exploitation, but the format string issue would be resultant, since attacker control of those repositories would also allow modification of message length, format, and content.

Piattaforme applicabili

Linguaggio

Class: Not Language-Specific (Undetermined)
Name: C (Often)
Name: C++ (Often)
Name: Perl (Rarely)

Conseguenze comuni

Ambito Impatto Probabilità
ConfidentialityRead Memory

Note: Format string problems allow for information disclosure which can severely simplify exploitation of the program.
Integrity
Confidentiality
Availability		Modify Memory, Execute Unauthorized Code or Commands

Note: Format string problems can result in the execution of arbitrary code, buffer overflows, denial of service, or incorrect data representation.

Esempi osservati

Riferimenti Descrizione

CVE-2002-1825

format string in Perl program

CVE-2001-0717

format string in bad call to syslog function

CVE-2002-0573

format string in bad call to syslog function

CVE-2002-1788

format strings in NNTP server responses

CVE-2006-2480

Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename.

CVE-2007-2027

Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages

Potential Mitigations

Phases : Requirements
Choose a language that is not subject to this flaw.
Phases : Implementation
Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
Phases : Build and Compilation
Run compilers and linkers with high warning levels, since they may detect incorrect usage.

Detection Methods

Automated Static Analysis

This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.

Black Box

Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.
Effectiveness : Limited

Automated Static Analysis - Binary or Bytecode

Effectiveness : High

Manual Static Analysis - Binary or Bytecode

Effectiveness : SOAR Partial

Dynamic Analysis with Automated Results Interpretation

Effectiveness : SOAR Partial

Dynamic Analysis with Manual Results Interpretation

Effectiveness : SOAR Partial

Manual Static Analysis - Source Code

Effectiveness : High

Automated Static Analysis - Source Code

Effectiveness : High

Architecture or Design Review

Effectiveness : High

Note sulla mappatura delle vulnerabilità

Giustificazione : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commento : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Pattern di attacco correlati

CAPEC-ID Nome del pattern di attacco
CAPEC-135 Format String Injection
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.
CAPEC-67 String Format Overflow in syslog()
This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.

Note



Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc.

Riferimenti

REF-116

Format String Vulnerabilities in Perl Programs
Steve Christey.
https://seclists.org/fulldisclosure/2005/Dec/91

REF-117

Programming Language Format String Vulnerabilities
Hal Burch, Robert C. Seacord.
https://drdobbs.com/security/programming-language-format-string-vulne/197002914

REF-118

Format String Attacks
Tim Newsham.
https://seclists.org/bugtraq/2000/Sep/214

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-962

Automated Source Code Security Measure (ASCSM)
Object Management Group (OMG).
http://www.omg.org/spec/ASCSM/1.0/

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Invio

Nome Organizzazione Data Data di rilascio Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifiche

Nome Organizzazione Data Commento
KDM Analytics 2008-08-01 +00:00 added/updated white box definitions
CWE Content Team MITRE 2008-09-08 +00:00 updated Applicable_Platforms, Common_Consequences, Detection_Factors, Modes_of_Introduction, Relationships, Other_Notes, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities
CWE Content Team MITRE 2008-11-24 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2009-03-10 +00:00 updated Relationships
CWE Content Team MITRE 2009-05-27 +00:00 updated Demonstrative_Examples
KDM Analytics 2009-07-17 +00:00 Improved the White_Box_Definition
CWE Content Team MITRE 2009-07-27 +00:00 updated White_Box_Definitions
CWE Content Team MITRE 2010-02-16 +00:00 updated Detection_Factors, References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-27 +00:00 updated Modes_of_Introduction, Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated Observed_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2014-07-30 +00:00 updated Demonstrative_Examples, Detection_Factors, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2015-12-07 +00:00 updated Description, Modes_of_Introduction, Name, Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Causal_Nature, Functional_Areas, Likelihood_of_Exploit, Other_Notes, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
CWE Content Team MITRE 2018-03-27 +00:00 updated References
CWE Content Team MITRE 2019-01-03 +00:00 updated References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2019-09-19 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Common_Consequences, Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Potential_Mitigations, Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-04-03 +00:00 updated Common_Consequences, Demonstrative_Examples, Description, Diagram, Other_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated Detection_Factors, Functional_Areas, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms
Le informazioni presentate su CVE Find provengono da diverse fonti di riferimento attentamente selezionate. I dati CVE sono forniti da MITRE Corporation e dal National Vulnerability Database (NVD). Il catalogo delle vulnerabilità sfruttate conosciute (KEV) proviene dalla Cybersecurity and Infrastructure Security Agency (CISA), mentre i punteggi EPSS provengono da FIRST.org. Inoltre, i dati relativi alle vulnerabilità software (CWE) e ai pattern di attacco comuni (CAPEC) sono mantenuti da MITRE Corporation, e le informazioni sulle configurazioni hardware e software (CPE) sono fornite da NVD.