Question

2. A successful format string unauthorized memory. Answer the followings with proper explanation: [2 points a. This attack will lead to violation of which security policies? Explain your attack attempted to steal user account information by reading from answer

Answer 1

Answer:-

There are several format strings that specify output in C and many other programming languages but our focus is on C.

Format string vulnerabilities are a class of bug that take advantage of an easily avoidable programmer error. If the programmer passes an attacker-controlled buffer as an argument to a printf (or any of the related functions, including sprintf, fprintf, etc), the attacker can perform writes to arbitrary memory addresses. The following program contains such an error:

Since printf has a variable number of arguments, it must use the format string to determine the number of arguments. In the case above, the attacker can pass the string “%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p” and fool the printf into thinking it has 15 arguments. It will naively print the next 15 addresses on the stack, thinking they are its arguments:

work well for identifying policy violations or process weaknesses, but to really evaluate the technical vulnerabilities in your environment, you will need to perform some sort of security testing. Although passive testing sounds harmless, beware that the definition of passive is not always consistent across the field. There are definitely gray areas to be aware of; any testing should require appropriate senior management approval. Most security scanners or vulnerability scanners are tools with large databases of known attacks and weaknesses and will scan the environment for signs of vulnerabilities or compromises. .

Preventing Format String Vulnerabilities

• Always specify a format string as part of program, not as an input. Most format string vulnerabilities are solved by specifying “%s” as format string and not using the data string as format string
• If possible, make the format string a constant. Extract all the variable parts as other arguments to the call. Difficult to do with some internationalization libraries
• If the above two practices are not possible, use defenses such as Format_Guard . Rare at design time. Perhaps a way to keep using a legacy application and keep costs down.Increase trust that a third-party application will be safe