SDL Digest, Vol 11, Issue 33

Message: 1
the SDL library. (includes SDL-announce)"
Message-ID: <20050328213936.GH4535 at adrinael.net>
Content-Type: text/plain; charset=“us-ascii”

int
main(int argc, char ** argv)
{
char name[40];
printf(“enter your name: “);
scanf(”%s”, &name);
printf(“your name is: %s\n”, name);
return 0;
}

I’ve heard that if you pass format characters through the prompt you
can potentially gain access to other information in the stack.

Yes, if you use printf this way:

printf(name);

Then name can contain format characters, and they will be parsed and
stack will be read.


Petri Latvala

Not only can memory be potentially read but control may be taken of
program execution.

ANSI-C contains a format string character, %n, which writes the
amounts of bytes written to the corresponding argument. An attacker
can also take advantage of $1,$20,$300, etc argument control to choose
where he is writing. Then values can be arbritrarily increased with
something like %43894d . Think about this, they can write anywhere
they want with any value they want. Always use format strings for
functions which expect them. syslog, printf, etc.> Date: Tue, 29 Mar 2005 00:39:36 +0300

From: Petri Latvala
Subject: Re: [SDL] Re: How do I get SDL_TTF to print out numbers?
To: Wes Wannemacher , "A list for developers using
On Mon, Mar 28, 2005 at 11:08:15AM -0500, Wes Wannemacher wrote:

This sounds very scary, indeed. What does one need to do in order to avoid
such potential disaster? Refrain entirely from printf, etc.? I’m a newbie,
so if the question I just asked is dumb, sorry… I just like the simple
beauty of allocating an array of char, throwing all my text,numbers,etc all
at once into it, and throwing that at SDL_TTF…

-Dave> > >

I’ve heard that if you pass format characters through the prompt you
can potentially gain access to other information in the stack.

Yes, if you use printf this way:

printf(name);

Then name can contain format characters, and they will be parsed and
stack will be read.


Petri Latvala

Not only can memory be potentially read but control may be taken of
program execution.

ANSI-C contains a format string character, %n, which writes the
amounts of bytes written to the corresponding argument. An attacker
can also take advantage of $1,$20,$300, etc argument control to choose
where he is writing. Then values can be arbritrarily increased with
something like %43894d . Think about this, they can write anywhere
they want with any value they want. Always use format strings for
functions which expect them. syslog, printf, etc.


SDL mailing list
SDL at libsdl.org
http://www.libsdl.org/mailman/listinfo/sdl

Never use a user supplied string as a format string, and use snprintf
which allows you to specify the size of the buffer that you’re writing
to.

Eg

with
char buf[100];
use
snprintf(buf, 100, “%s”, input);
rather than
sprintf(buf, input);

note that snprintf isn’t ansi C, but I think you’ll find it available
pretty much everywhere.

Julian.On Wednesday 30 March 2005 15:57, David Olsen wrote:

This sounds very scary, indeed. What does one need to do in order to
avoid such potential disaster? Refrain entirely from printf, etc.? I’m
a newbie, so if the question I just asked is dumb, sorry… I just
like the simple beauty of allocating an array of char, throwing all my
text,numbers,etc all at once into it, and throwing that at SDL_TTF…

-Dave

I’ve heard that if you pass format characters through the prompt
you can potentially gain access to other information in the
stack.

Yes, if you use printf this way:

printf(name);

Then name can contain format characters, and they will be parsed
and stack will be read.


Petri Latvala

Not only can memory be potentially read but control may be taken of
program execution.

ANSI-C contains a format string character, %n, which writes the
amounts of bytes written to the corresponding argument. An attacker
can also take advantage of $1,$20,$300, etc argument control to
choose where he is writing. Then values can be arbritrarily increased
with something like %43894d . Think about this, they can write
anywhere they want with any value they want. Always use format
strings for functions which expect them. syslog, printf, etc.


SDL mailing list
SDL at libsdl.org
http://www.libsdl.org/mailman/listinfo/sdl


SDL mailing list
SDL at libsdl.org
http://www.libsdl.org/mailman/listinfo/sdl


Left to themselves, things tend to go from bad to worse.

This sounds very scary, indeed. What does one need to do in order to avoid
such potential disaster? Refrain entirely from printf, etc.?

Ack, no! printf() is God’s gift to debugging :wink: Your program has control
over what arguments are sent to printf. The potential for exploits comes from
user input (eg: scanf, strcpy, etc). Your program should check for possible
buffer overflows, suspicious format specifiers in the input, etc. Simple
example:

if (strlen(source) >= BufferSize)
error(“Whoops! Input too big!”);
else
strcpy(buffer, source);

scanf() and fscanf() should be avoided for other reasons also. Unless input
is coming from a file with known format, it’s better to write your own input
parsing routines.

HTH,
JeffOn Tuesday 29 March 2005 07:57 pm, David Olsen wrote:

And everyone seems to be forgetting about snprintf(…) which allows
you to specify a size, so you don’t have that whacky craziness.On Wed, 30 Mar 2005 05:42:39 -0800, Jeff <j_post at pacbell.net> wrote:

On Tuesday 29 March 2005 07:57 pm, David Olsen wrote:

This sounds very scary, indeed. What does one need to do in order to avoid
such potential disaster? Refrain entirely from printf, etc.?

Ack, no! printf() is God’s gift to debugging :wink: Your program has control
over what arguments are sent to printf. The potential for exploits comes from
user input (eg: scanf, strcpy, etc). Your program should check for possible
buffer overflows, suspicious format specifiers in the input, etc. Simple
example:

if (strlen(source) >= BufferSize)
error(“Whoops! Input too big!”);
else
strcpy(buffer, source);

scanf() and fscanf() should be avoided for other reasons also. Unless input
is coming from a file with known format, it’s better to write your own input
parsing routines.

HTH,
Jeff


SDL mailing list
SDL at libsdl.org
http://www.libsdl.org/mailman/listinfo/sdl


Casey O’Donnell
RPI STS Department - Graduate Student

http://homepage.mac.com/codonnell/
http://homepage.mac.com/codonnell/wxsync/
http://homepage.mac.com/codonnell/wxblogger/