Mitigating the WASC Web Security Threat Classification with Apache: Part 3/Page 4

[previous]

Mitigating the WASC Web Security Threat Classification with Apache: Part 3

Format String Attack

Format String Attacks alter the flow of an application by using string formatting library features to access other memory space. Vulnerabilities occur when user-supplied data is used directly as formatting string input for certain C/C++ functions (e.g., fprintf, printf, sprintf, setproctitle, syslog, etc.). If an attacker passes a format string consisting of printf conversion characters (e.g., "%f", "%p", "%n", etc.) as parameter value to the web application, they may:

Execute arbitrary code on the server. Read values off the stack. Cause segmentation faults / software crashes.

Format String Attack Example

Let's assume that a web application has a parameter emailAddress, dictated by the user. The application prints the value of this variable by using the printf function:

If the value sent to the emailAddress parameter contains conversion characters,printf will parse the conversion characters and use the additionally supplied corresponding arguments. If no such arguments actually exist, data from the stack will be used in accordance to the order expected by the printf function. The possible uses of the Format String Attacks in such a case can be as follows:

Read data from the stack: If the output stream of the printf function is presented back to the attacker, he may read values on the stack by sending the conversion character "%x" (one or more times). Read character strings from the process' memory: If the output stream of the printf function is presented back to the attacker, he can read character strings at arbitrary memory locations by using the "%s" conversion character (and other conversion characters in order to reach specific locations). Write an integer to locations in the process' memory: By using the "%n" conversion character, an attacker may write an integer value to any location in memory (e.g., overwrite important program flags that control access privileges, overwrite return addresses on the stack, etc.).

In the previous example, the correct way to use printf is

In this case, the "emailAddress" variable will not be parsed by the printf function. The following examples were taken from real-world format string vulnerabilities exploits against HTTP-based servers:

The Format String Attack 1 is as follows:

While this second example of a Format String Attack is also valid:

Apache Countermeasures for Format String Attacks

Similar to how we handled the buffer overflow issues, we can utilize the same Mod_Security directives that will check the encodings and byte ranges of the request. A key component of a format string attack is the inclusion of the percent sign (%) in the request. If you are sure that certain client headers will not legitimately need to use this parameter, then you can create additional Mod_Security filters to check for the presence of the % sign. This is needed since the decimal number for the % sign is 25, which is within the allowed range specified by the SecFilterForceByteRange setting of 20 126. The following filter will identify the presence of a % sign in the host client header:

The reason why this filter is needed is that Mod_Security will perform the URL decoding of the request prior to applying these filters. If the % sign is still present, then it will be denied. This concept could be expanded to inspect other client request headers.

References

(Maybe) the first publicly known Format Strings exploit Analysis of format string bugs By Andreas Thuemmel Format string input validation error in wu-ftpd site_exec() function

Excerpted from Preventing Web Attacks with Apache by Ryan C. Barnett. Copyright © 2006. Used with permission of Pearson Education, Addison-Wesley Professional.

[previous]

URL: