CWE-134 Detail

CWE-134

Use of Externally-Controlled Format String
Hoog
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Meldingen voor een CWE
Blijf op de hoogte van wijzigingen voor een specifieke CWE.
Meldingen beheren

Naam: Use of Externally-Controlled Format String

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Algemene informatie

Introductiemodi

Implementation : The programmer rarely intends for a format string to be externally-controlled at all. This weakness is frequently introduced in code that constructs log messages, where a constant format string is omitted.
Implementation : In cases such as localization and internationalization, the language-specific message repositories could be an avenue for exploitation, but the format string issue would be resultant, since attacker control of those repositories would also allow modification of message length, format, and content.

Toepasselijke platforms

Taal

Class: Not Language-Specific (Undetermined)
Name: C (Often)
Name: C++ (Often)
Name: Perl (Rarely)

Veelvoorkomende gevolgen

Bereik Impact Waarschijnlijkheid
ConfidentialityRead Memory

Note: Format string problems allow for information disclosure which can severely simplify exploitation of the program.
Integrity
Confidentiality
Availability		Modify Memory, Execute Unauthorized Code or Commands

Note: Format string problems can result in the execution of arbitrary code, buffer overflows, denial of service, or incorrect data representation.

Waargenomen voorbeelden

Referenties Beschrijving

CVE-2002-1825

format string in Perl program

CVE-2001-0717

format string in bad call to syslog function

CVE-2002-0573

format string in bad call to syslog function

CVE-2002-1788

format strings in NNTP server responses

CVE-2006-2480

Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename.

CVE-2007-2027

Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages

Mogelijke risicobeperkingen

Phases : Requirements
Choose a language that is not subject to this flaw.
Phases : Implementation
Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
Phases : Build and Compilation
Run compilers and linkers with high warning levels, since they may detect incorrect usage.

Detectiemethoden

Automated Static Analysis

This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.

Black Box

Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.
Effectiviteit : Limited

Automated Static Analysis - Binary or Bytecode

Effectiviteit : High

Manual Static Analysis - Binary or Bytecode

Effectiviteit : SOAR Partial

Dynamic Analysis with Automated Results Interpretation

Effectiviteit : SOAR Partial

Dynamic Analysis with Manual Results Interpretation

Effectiviteit : SOAR Partial

Manual Static Analysis - Source Code

Effectiviteit : High

Automated Static Analysis - Source Code

Effectiviteit : High

Architecture or Design Review

Effectiviteit : High

Notities kwetsbaarheidsmapping

Rechtvaardiging : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Opmerking : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Gerelateerde aanvalspatronen

CAPEC-ID Naam aanvalspatroon
CAPEC-135 Format String Injection
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.
CAPEC-67 String Format Overflow in syslog()
This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.

Notities



Format string issues are under-studied for languages other than C. Memory or disk consumption, control flow or variable alteration, and data corruption may result from format string exploitation in applications written in other languages such as Perl, PHP, Python, etc.

Referenties

REF-116

Format String Vulnerabilities in Perl Programs
Steve Christey.
https://seclists.org/fulldisclosure/2005/Dec/91

REF-117

Programming Language Format String Vulnerabilities
Hal Burch, Robert C. Seacord.
https://drdobbs.com/security/programming-language-format-string-vulne/197002914

REF-118

Format String Attacks
Tim Newsham.
https://seclists.org/bugtraq/2000/Sep/214

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-962

Automated Source Code Security Measure (ASCSM)
Object Management Group (OMG).
http://www.omg.org/spec/ASCSM/1.0/

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Indiening

Naam Organisatie Datum Releasedatum Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Wijzigingen

Naam Organisatie Datum Opmerking
KDM Analytics 2008-08-01 +00:00 added/updated white box definitions
CWE Content Team MITRE 2008-09-08 +00:00 updated Applicable_Platforms, Common_Consequences, Detection_Factors, Modes_of_Introduction, Relationships, Other_Notes, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities
CWE Content Team MITRE 2008-11-24 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2009-03-10 +00:00 updated Relationships
CWE Content Team MITRE 2009-05-27 +00:00 updated Demonstrative_Examples
KDM Analytics 2009-07-17 +00:00 Improved the White_Box_Definition
CWE Content Team MITRE 2009-07-27 +00:00 updated White_Box_Definitions
CWE Content Team MITRE 2010-02-16 +00:00 updated Detection_Factors, References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-27 +00:00 updated Modes_of_Introduction, Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated Observed_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2014-07-30 +00:00 updated Demonstrative_Examples, Detection_Factors, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2015-12-07 +00:00 updated Description, Modes_of_Introduction, Name, Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Causal_Nature, Functional_Areas, Likelihood_of_Exploit, Other_Notes, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
CWE Content Team MITRE 2018-03-27 +00:00 updated References
CWE Content Team MITRE 2019-01-03 +00:00 updated References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2019-09-19 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Common_Consequences, Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Potential_Mitigations, Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-04-03 +00:00 updated Common_Consequences, Demonstrative_Examples, Description, Diagram, Other_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated Detection_Factors, Functional_Areas, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms
De informatie die op CVE Find wordt gepresenteerd, is afkomstig van verschillende zorgvuldig geselecteerde referentiebronnen. CVE-gegevens worden geleverd door MITRE Corporation en de National Vulnerability Database (NVD). De Known Exploited Vulnerabilities (KEV)-catalogus is afkomstig van de Cybersecurity and Infrastructure Security Agency (CISA), terwijl EPSS-scores afkomstig zijn van FIRST.org. Daarnaast worden gegevens over softwarezwakheden (CWE) en veelvoorkomende aanvalspatronen (CAPEC) bijgehouden door MITRE Corporation, en informatie over hardware- en softwareconfiguraties (CPE) wordt geleverd door de NVD.