How is printf() in C/C++ a Buffer overflow vulnerability?
It is possible to have issues with printf()
, by using as format string a user-provided argument, i.e. printf(arg)
instead of printf("%s", arg)
. I have seen it done way too often. Since the caller did not push extra arguments, a string with some spurious %
specifiers can be used to read whatever is on the stack, and with %n
some values can be written to memory (%n
means: "the next argument is an int *
; go write there the number of characters emitted so far).
However, I find it more plausible that the article you quote contains a simple typographical mistake, and really means sprintf()
, not printf()
.
(I could also argue that apart from gets()
, there is no inherently vulnerable C function; only functions which need to be used with care. The so-called "safe" replacements like snprintf()
don't actually solve the problem; they hide it by replacing a buffer overflow with a silent truncation, which is less noisy but not necessarily better.)
In addition to the answer by @Tom, I would also like to guide you to the OWASP code review guidelines, where some issues on using printf() are highlighted and this answer to a similar question on cs.stackexchange website.
Here is an example that shows how this overflow can help you. Imagine you don't have access to the private members (pwd for example) so printf will help you see the content of this variable
#include <iostream>
#include <stdio.h>
#include <string.h>
using namespace std;
struct SecureLogin{
SecureLogin(const char * login_)
{
strcpy(login,login_);
strcpy(pwd,"ijk");//the user does not see this part of the source code as it is in a DLL
}
char login[8];
private:
char pwd[8];
};
int main() {
// your code goes here
SecureLogin log("abc");
printf("Pwd = %s\n",(&log.login[0])+8);
// Pass a string address which is the base address of the login
// field, but add 8 bytes, which skips onto the pwd field (we know
// login is 8 bytes)
return 0;
}
Output:
Pwd = ijk