CWE-134: Use of Externally-Controlled Format String
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
常见后果
影响范围: Confidentiality
技术影响: Read Memory
说明: Format string problems allow for information disclosure which can severely simplify exploitation of the program.
影响范围: Integrity Confidentiality Availability
技术影响: Modify Memory Execute Unauthorized Code or Commands
说明: Format string problems can result in the execution of arbitrary code, buffer overflows, denial of service, or incorrect data representation.
潜在缓解措施
阶段: Requirements
描述: Choose a language that is not subject to this flaw.
阶段: Implementation
描述: Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
阶段: Build and Compilation
描述: Run compilers and linkers with high warning levels, since they may detect incorrect usage.
检测方法
方法: Automated Static Analysis
This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.
方法: Black Box
Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.
有效性: Limited
方法: Automated Static Analysis - Binary or Bytecode
有效性: High
方法: Manual Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Dynamic Analysis with Automated Results Interpretation
有效性: SOAR Partial
方法: Dynamic Analysis with Manual Results Interpretation
有效性: SOAR Partial
方法: Manual Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis - Source Code
有效性: High
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2002-1825
format string in Perl program
参考: CVE-2001-0717
format string in bad call to syslog function
参考: CVE-2002-0573
format string in bad call to syslog function
参考: CVE-2002-1788
format strings in NNTP server responses
参考: CVE-2006-2480
Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename.
参考: CVE-2007-2027
Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | The programmer rarely intends for a format string to be externally-controlled at all. This weakness is frequently introduced in code that constructs log messages, where a constant format string is omitted. |
| Implementation | In cases such as localization and internationalization, the language-specific message repositories could be an avenue for exploitation, but the format string issue would be resultant, since attacker control of those repositories would also allow modification of message length, format, and content. |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Format string vulnerability | - |
| 7 Pernicious Kingdoms | - | Format String | - |
| CLASP | - | Format string problem | - |
| CERT C Secure Coding | FIO30-C | Exclude user input from format strings | Exact |
| CERT C Secure Coding | FIO47-C | Use valid format strings | CWE More Specific |
| OWASP Top Ten 2004 | A1 | Unvalidated Input | CWE More Specific |
| WASC | 6 | Format String | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | IDS06-J | Exclude user input from format strings | - |
| SEI CERT Perl Coding Standard | IDS30-PL | Exclude user input from format strings | Exact |
| Software Fault Patterns | SFP24 | Tainted input to command | - |
| OMG ASCSM | ASCSM-CWE-134 | - |
关键信息
CWE ID: CWE-134
抽象级别: Base
结构: Simple
状态: Draft
利用可能性: High