Java
Support was added for printf-style format strings in Java 1.5. Java programs that use these routines may contain format string vulnerabilities. A malformed format string or insufficient arguments passed to these routines results in an exception being thrown. If the exception is not properly handled, attackers may be able to leverage the exception into a denial-of-service attack. If the exception occurs during logging, attackers may be able to prevent their activities from being logged.
Python
The Python language does not contain a sprintf() function but does contain the % (format) command. This command has two forms. In the first form, it acts much as sprintf(), taking a format string and a list of parameters. In the second form, it takes a format string and a dictionary.
Python checks the parameter list to ensure the number of parameters is equal to the number the format string specifies. In the case of a mismatch, Python generates an exception. Consequently, a format string vulnerability in a Python program results in an error message and the Python program terminating unless an error handler deals with the resulting exception. As a result, a format string vulnerability in Python may let attackers launch denial-of-service attacks or circumvent logging facilities (if the Python program crashes before logging the attack). Python does not support %n, so attackers cannot use format string vulnerabilities to alter variable values.
In a program using the second form, a format string vulnerability in a Python program may let attackers view entries in the dictionary that they would not otherwise be able to view. The impact of such a vulnerability depends greatly on the type of data stored in the dictionary.
Consider the following Python program:
userdata = {"user" : "jdoe",
"password" : "secret" }
passwd = raw_input("Password: ")
if (passwd != userdata["password"]):
print ("Password \"" + passwd
+ "\" is wrong for user
%(user)s") % userdata
else:
print "Welcome!"
Usually, if someone enters an incorrect password, they get a message like this:
Password "green"
is wrong for user jdoe
If attackers enter a password of %(password)s, the program outputs the correct password instead of the password entered:
Password "secret"
is wrong for user jdoe
By attacking the format string vulnerability, attackers can trick the program into displaying parts of the dictionary the attacker should not have access to. In this example, the attacker can discover the password.
In addition to gaining access to private data, a malicious user can cause a KeyError exception by entering a key without a value. In the previous example, entering a password of %(homedir)s would result in a KeyError exception. Depending on exception handling and how the resulting string was to be used, this may let attackers launch denial-of-service attacks or circumvent logging facilities.
