George V. Reilly's Technical Blog

Printf %n

http://www.georgevreilly.com/blog/content/binary/printf.png

In my post about Printf Tricks a couple of years ago, I mentioned that "%n is dangerous and disabled by default in Visual Studio 2005."

I got email today from someone who was porting a large codebase to VS 2005. He was getting an assert from %n and he needed a way to get past it. He intends to fix the uses of %n when he has a chance.

I spent several minutes digging around in MSDN and came up with set_printf_count_output. Wikipedia's Format string attack page led me to Exploiting Format String Vulnerabilities, which describes in detail how %n (and %s) may be exploited.

In short, if you have printf(unvalidated_user_input), instead of printf("%s", unvalidated_user_input), then placing %n into unvalidated_user_input can lead to printf writing arbitrary data into memory.

Posted: Feb 06 2007, 11:19 PM by george_v_reilly | with 2 comment(s)
Filed under: , ,

Comments

%n !! | keyongtech said:

Pingback from  %n !! | keyongtech

# March 1, 2009 2:40 PM

nick_chirob said:

www.message_getnopas.com

# April 9, 2009 8:28 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)