ashenchowthee / zaproxy

Automatically exported from code.google.com/p/zaproxy
0 stars 0 forks source link

Finding faults in back end C cgi programs dealing with sloppy fromat string programming #1539

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Many of the back end interfaces use a secondary programming language, often 
compiled, to interface to a variety of system functions.  C and C++ are two of 
the more popular "traditional" languages that are used.  The Format String 
exploit occurs when the submitted data of an input string is evaluated as a 
command by the application. In this way, the attacker could execute code, read 
the stack, or cause a segmentation fault in the running application, causing 
new behaviors that could compromise the security or the stability of the system.

To understand the attack, it’s necessary to understand the components that 
constitute it.

•The Format Function is an ANSI C conversion function, like printf, fprintf, 
which converts a primitive variable of the programming language into a 
human-readable string representation.

•The Format String is the argument of the Format Function and is an ASCII Z 
string which contains text and format parameters, like: printf ("The magic 
number is: %d\n", 1911);

•The Format String Parameter, like %x %s defines the type of conversion of 
the format function.

The attack could be executed when the application doesn’t properly validate 
the submitted input. In this case, if a Format String parameter, like %x, is 
inserted into the posted data, the string is parsed by the Format Function, and 
the conversion specified in the parameters is executed. However, the Format 
Function is expecting more arguments as input, and if these arguments are not 
supplied, the function could read or write the stack.

IT should be possible to detect this vulnerability by causing the code to 
either hard crash or by using things such as %x to cause the code web site to 
return an abnormally large response.

Original issue reported on code.google.com by msra...@gmail.com on 23 Feb 2015 at 7:00

GoogleCodeExporter commented 9 years ago
Associated code review request:
https://code.google.com/p/zaproxy/issues/detail?id=1558

Original comment by kingtho...@gmail.com on 18 Mar 2015 at 5:08

GoogleCodeExporter commented 9 years ago
ZAP has been migrated to github

This issue will be on github issues with the same ID: 
https://github.com/zaproxy/zaproxy/issues

Original comment by psii...@gmail.com on 5 Jun 2015 at 9:18