CWE-134 Base Borrador High likelihood

Use of Externally-Controlled Format String

This vulnerability occurs when a program uses a format string from an untrusted, external source (like user input, a network packet, or a file) in a formatting function (e.g., printf, sprintf). An…

Definición

What is CWE-134?

This vulnerability occurs when a program uses a format string from an untrusted, external source (like user input, a network packet, or a file) in a formatting function (e.g., printf, sprintf). An attacker can craft a malicious format string to read or write memory, potentially crashing the application or executing arbitrary code.
Format string vulnerabilities happen because functions like printf interpret special sequences (like %s, %n, %x) in their format argument. When an attacker controls this string, they can use these sequences as instructions to read from the stack, write to arbitrary memory addresses, or leak sensitive information. This is not a buffer overflow; it's a direct misuse of a powerful feature that expects a trusted, developer-controlled format. To prevent this, never pass user-controlled data directly as the format string argument. Always use a static, immutable format string and pass external input as separate arguments to the function (e.g., printf("%s", user_input) instead of printf(user_input)). Input validation is not sufficient here; the architecture of the call itself must be corrected to ensure the attacker never gains control over the formatting instructions.
Vulnerability Diagram CWE-134
Format String Vulnerability User input %x %x %s %n C code printf(user_input); %x → reads stack %n → writes memory no fixed format string Memory leak / write → RCE / disclosure Format specifiers in attacker data read or write process memory.
Impacto en el mundo real

Real-world CVEs caused by CWE-134

  • CVE-2002-1825

    format string in Perl program

  • CVE-2001-0717

    format string in bad call to syslog function

  • CVE-2002-0573

    format string in bad call to syslog function

  • CVE-2002-1788

    format strings in NNTP server responses

  • CVE-2006-2480

    Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename.

  • CVE-2007-2027

    Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    The following program prints a string provided as an argument.

  2. 2

    The example is exploitable, because of the call to printf() in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple.

  3. 3

    The following code copies a command line argument into a buffer using snprintf().

  4. 4

    This code allows an attacker to view the contents of the stack and write to the stack using a command line argument containing a sequence of formatting directives. The attacker can read from the stack by providing more formatting directives, such as %x, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.) By using the %n formatting directive, the attacker can write to the stack, causing snprintf() to write the number of bytes output thus far to the specified argument (rather than reading a value from the argument, which is the intended behavior). A sophisticated version of this attack will use four staggered writes to completely control the value of a pointer on the stack.

  5. 5

    Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc:

Ejemplo de código vulnerable

Vulnerable C

The following program prints a string provided as an argument.

Vulnerable C 
#include <stdio.h>
  void printWrapper(char *string) {
  		printf(string);
  }
  int main(int argc, char **argv) {
  		char buf[5012];
  		memcpy(buf, argv[1], 5012);
  		printWrapper(argv[1]);
  		return (0);
  }
Ejemplo de código seguro

Secure pseudo

Seguro pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-134

  • Requirements Choose a language that is not subject to this flaw.
  • Implementation Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
  • Build and Compilation Run compilers and linkers with high warning levels, since they may detect incorrect usage.
Señales de detección

How to detect CWE-134

Automated Static Analysis

This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.

Black Box Limited

Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.

Automated Static Analysis - Binary or Bytecode High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis ``` Cost effective for partial coverage: ``` Binary / Bytecode simple extractor - strings, ELF readers, etc.

Manual Static Analysis - Binary or Bytecode SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies

Dynamic Analysis with Automated Results Interpretation SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Web Application Scanner Web Services Scanner Database Scanners

Dynamic Analysis with Manual Results Interpretation SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Fuzz Tester Framework-based Fuzzer

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-134 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-134?

This vulnerability occurs when a program uses a format string from an untrusted, external source (like user input, a network packet, or a file) in a formatting function (e.g., printf, sprintf). An attacker can craft a malicious format string to read or write memory, potentially crashing the application or executing arbitrary code.

¿Qué gravedad tiene CWE-134?

MITRE califica la probabilidad de explotación como Alta — esta debilidad se explota activamente en la práctica y debe priorizarse para su remediación.

¿Qué lenguajes o plataformas se ven afectados por CWE-134?

MITRE lists the following affected platforms: C, C++, Perl.

¿Cómo puedo prevenir CWE-134?

Choose a language that is not subject to this flaw. Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

¿Cómo detecta y corrige Plexicus CWE-134?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-134 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-134?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/134.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-134

CWE-668 Padre

Exposure of Resource to Wrong Sphere

This vulnerability occurs when an application unintentionally makes a resource accessible to users or systems that should not have…

CWE-1189 Hermano

Improper Isolation of Shared Resources on System-on-a-Chip (SoC)

This vulnerability occurs when a System-on-a-Chip (SoC) fails to properly separate shared hardware resources between secure (trusted) and…

CWE-1282 Hermano

Assumed-Immutable Data is Stored in Writable Memory

This vulnerability occurs when data that should be permanent and unchangeable—like a bootloader, device IDs, or one-time configuration…

CWE-1327 Hermano

Binding to an Unrestricted IP Address

This vulnerability occurs when software or a service is configured to bind to the IP address 0.0.0.0 (or :: in IPv6), which acts as a…

CWE-1331 Hermano

Improper Isolation of Shared Resources in Network On Chip (NoC)

This vulnerability occurs when a Network on Chip (NoC) fails to properly separate its internal, shared resources—like buffers, switches,…

CWE-200 Hermano

Exposure of Sensitive Information to an Unauthorized Actor

This weakness occurs when an application unintentionally reveals sensitive data to someone who shouldn't have access to it.

CWE-374 Hermano

Passing Mutable Objects to an Untrusted Method

This vulnerability occurs when a function receives a direct reference to mutable data, such as an object or array, instead of a safe copy…

CWE-375 Hermano

Returning a Mutable Object to an Untrusted Caller

This vulnerability occurs when a method directly returns a reference to its internal mutable data, allowing untrusted calling code to…

CWE-377 Hermano

Insecure Temporary File

This vulnerability occurs when an application creates temporary files with insecure permissions or in predictable locations, allowing…

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo