CWE-134
Weakness ID:134(Weakness Base)
Status: Draft
̖
v
{Ǝ㐫݂\tgEFÁAprintf n̊ɊO琧\ȏgpĂ܂B̊́Aobt@I[o[t[f[^\̖\܂B
Ǝ㐫̔
YvbgtH[
C
C++
Perl ipxj
T|[g錾
Ǝ㐫̔
܂ɁA[U̓͂ƂĈvO݂܂B{Ǝ㐫́Aw肳ĂȂObZ[W\zR[hɕpɂɔ܂B
n扻⍑ۉ̏ꍇɂ́AŗL̃bZ[W̃|WgUiƂĎgp\܂B |Wg̐ɂAU҂̓bZ[WAARec̉\ł邽߁A̖͑̐Ǝ㐫̌ʂƂĔ܂B
ʓIȉe
| e͈ | e |
|---|---|
| @ | ̖́AvOւ̍UPlȏ̊J\܂B |
| ANZX | ̖ɂACӂ̃R[hs\܂B |
U\
ɍ
oi
ÓI
{Ǝ㐫͎ÓI͂ɂČo\łBŋ߂̃c[̑́AtH[X|WeBuŏ邽߂ɁAf[^t[͂x[X̋ZpgpĂ܂B
ubN{bNX:
̖́Aɂ߂Ē (G[bZ[W̃O擾) Ŕꍇ߁AubN{bNXɂ錟m͍łBݓIȖ̑́A\[XR[h⓯̃\[XɊ֘AȂAst@Cɑ݂Xɂ܂B
LFI
ƎȃR[h
1:
ȉ̗́AprintWrapper() ̒ŁAprintf() Ăяo߂ɍU\܂BiUP邽߁AX^bNobt@[lj܂Bj
TvF C ij
#include <stdio.h>
void printWrapper(char *string) {
printf(string);
}
int main(int argc, char **argv) {
char buf[5012];
memcpy(buf, argv[1], 5012);
printWrapper(argv[1]);
return (0);
}
2:
ȉ̗́Asnprintf()𗘗păR}hC̈obt@ɃRs[܂B
TvF C ij
int main(int argc, char **argv){
char buf[128];
...
snprintf(buf,128,argv[1]);
}
̃R[hł́AU҂X^bN̓e{Awq܂ރR}hC̈gpăX^bNɏނƂ\łBu%xv Ȃǂ̏wqAvȏɓ͂邱ƂŁAX^bN̓eǂݎ邱Ƃ\łB(̗ł́A͏Ă܂B)
U҂́u%nvgpAsnprintf() ɂ肱܂ł̏o̓oCgw肳ꂽɏ݂ȂAX^bNɏމ\܂B́AlǂݍނƂAz肳ꂽƂ͈قȂ̂łB IȎł́AX^bÑ|C^lSɐ䂷邽߂ɁA4 oCg炵ď݂܂B
3:
ɂẮÄʒu𐧌䂷鏑wqɂAǂݏU\܂܂Bwq̗Ƃ glibc ŋLqꂽȉ̃R[h܂B
TvF C ij
printf("%d %d %1$d %1$d¥n", 5, 9);
̃R[h́A u5 9 5 5v Əo͂܂B܂Ahalf-writes (%hn) gpĂA̔Cӂ DWORDS 𐳊mɐ䂷邱Ƃ\łB̂ƂɂA1̗lȁA4 oCg炵ďޕKv̂UP邱Ƃ\łB
ꂽ
| Q | ڍ |
|---|---|
| CVE-2002-1825 | format string in Perl program |
| CVE-2001-0717 | format string in bad call to syslog function |
| CVE-2002-0573 | format string in bad call to syslog function |
| CVE-2002-1788 | format strings in NNTP server responses |
| CVE-2007-2027 | Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages |
Q̊ɘa
tF[Y:v`
{Ǝ㐫̉eȂgpĉB
tF[Y:
SĂ̏A[UłȂÓIȕłȀÅɓKȐ̈nĂ邱ƂmFĉB\ȂAɂ u%nv T|[gȂgpĉB
rhFsKȎgpxĂ\邽߁ARpCуJ[̌xɒӂĉB
̑̕⑫
̐Ǝ㐫́AʓIɃobt@I[o[t[̃JeSɕނ܂Aɂ̓obt@̓I[o[t[Ă܂B
̖ɂƎ㐫́ArIVł (1999) AψA̐mF錻IȎi݂ȂƂɋN܂BC̃^C܂߁Aψ̒ōłʓIȂ̂́A printf() nłB
̖͗lXȌ`Ō܂B
wq̂Ȃ *printf() R[͊댯łAU\܂BႦAReLXgɂāAprintf(y,input); ͍U邱Ƃ܂Aprintf(input); ɂ͍U\܂B printf(input); R[sɗpꂽʁA͕͏wqƂĎgp邽߁AU҂ɃX^bN`\܂Bcp[^̓X^bNo邽߁AU҂͏wqƋɓ͕lߍ݁AX^bN̒lǂݎn߂܂Bň̏ꍇɂ́A̕spɂACӂ̒l (܂͍UvȌƂȂl) ғ̃vÕɏސ^Ă܂\܂B
ʓIɁAUΏۂƂȂ̂̓t@CAvZXAʎqłB
̖́AC/C++ɂm̐Ǝ㐫łAeՂɌmł邱ƂČ݂͂قƂǑ݂܂B̖肪UȌ̈ u%nv ̏wqɂ܂Bu%nv́AɂĎw肳ꂽɑA܂łɏɂĕ\ꂽ݂܂BIɐ邱ƂŁAӂ郆[U̓X^bN̒l𗘗p write-what-where condition (CWE-123) N\܂B
܂ȀwqlɍUɎgp\܂BႦAu%9999sv̏wq́Aobt@I[o[t[̗UAfprintf ̗lȃt@CtH[}bgŎgpꂽꍇA\傫ȏo͂\܂B
ɂ鑼̐Ǝ㐫Ƃ̈ˑW
| ˑW | ڍ |
|---|---|
| ƗI | ̐Ǝ㐫̗LɊWAƗĔ |
W
| Nature | Type | ID | Name | View(s) this relationship pertains to |
|---|---|---|---|---|
| ChildOf | Weakness Class | 20 | Improper Input Validation | Seven Pernicious Kingdoms (primary)700 |
| ChildOf | Weakness Class | 74 | Failure to Sanitize Data into a Different Plane (aka 'Injection') | Development Concepts (primary)699 |
| Research Concepts (primary)1000 | ||||
| ChildOf | Category | 133 | String Errors | Development Concepts699 |
| ChildOf | Category | 633 | Weaknesses that Affect Memory | Resource-specific Weaknesses (primary)631 |
| ChildOf | Category | 726 | OWASP Top Ten 2004 Category A5 - Buffer Overflows | Weaknesses in OWASP Top Ten (2004) (primary)711 |
| ChildOf | Category | 743 | CERT C Secure Coding Section 09 - Input Output (FIO) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
| ChildOf | Category | 808 | 2010 Top 25 - Weaknesses On the Cusp | Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors(primary)800 |
| PeerOf | Weakness Base | 123 | Write-what-where Condition | Research Concepts1000 |
| MemberOf | View | 630 | Weaknesses Examined by SAMATE | Weaknesses Examined by SAMATE (primary)630 |
| MemberOf | View | 635 | Weaknesses Used by NVD | Weaknesses Used by NVD (primary)635 |
v iCWE ̌j
CȊǑɂ鏑̖͒łB܂̓fBXNARg[Af[^j́APerlA PHPAPython Ȃǂ C ȊǑŏꂽAvP[Vɂ鏑̍U̗vƂȂ܂B
eVXe\[X
@\
O̎擾
G[
ʓIȃAEgvbg
̐
smiJ҂̍šʂɂȂƎ㐫j
gDł̕
| gD܂͑gDł̕ | m[h ID | CWE̕ނƂ̓Kx | ޖ |
|---|---|---|---|
| PLOVER | Format string vulnerability | ||
| 7 Pernicious Kingdoms | Format String | ||
| CLASP | Format string problem | ||
| CERT C Secure Coding | FIO30-C | Exact | Exclude user input from format strings |
| OWASP Top Ten 2004 | A1 | CWE More Specific | Unvalidated Input |
| CERT C Secure Coding | FIO30-C | Exclude user input from format strings | |
| WASC | 6 | Format String |
zCg{bNX̒`
R[hpXȉ̏Ǝ㐫
1. JnXe[ggœ͂tꍇ
2. ȉ̏IXe[ggŕɏnꍇ
E̓f[^͕̈ꕔłAA]܂Ȃłꍇ
Ĺu]܂ȂvƂ́Aȉ̏Ԃw܂B
1. ĂȂ
2. @ŌĂ
Q
Steve Christey. "Format String Vulnerabilities in Perl Programs". <http://www.securityfocus.com/archive/1/418460/30/0/threaded>.
Hal Burch and Robert C. Seacord. "Programming Language Format String Vulnerabilities". <http://www.ddj.com/dept/security/197002914>.
Tim Newsham. "Format String Attacks". Guardent. September 2000. <http://www.lava.net/~newsham/format-string-attacks.pdf>.
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 5, "Format String Bugs" Page 147. 2nd Edition. Microsoft. 2002.
XV
[2011N0421]
2010N1012_̃f[^ɍXV
[2009N0629]
2009N0202_̉L URL ɍ쐬
http://cwe.mitre.org/data/definitions/134.html
o^ 2011/04/21
ŏIXV 2023/04/04
