CWE-134 Base Brouillon High likelihood

Use of Externally-Controlled Format String

This vulnerability occurs when a program uses a format string from an untrusted, external source (like user input, a network packet, or a file) in a formatting function (e.g., printf, sprintf). An…

Définition

What is CWE-134?

This vulnerability occurs when a program uses a format string from an untrusted, external source (like user input, a network packet, or a file) in a formatting function (e.g., printf, sprintf). An attacker can craft a malicious format string to read or write memory, potentially crashing the application or executing arbitrary code.
Format string vulnerabilities happen because functions like printf interpret special sequences (like %s, %n, %x) in their format argument. When an attacker controls this string, they can use these sequences as instructions to read from the stack, write to arbitrary memory addresses, or leak sensitive information. This is not a buffer overflow; it's a direct misuse of a powerful feature that expects a trusted, developer-controlled format. To prevent this, never pass user-controlled data directly as the format string argument. Always use a static, immutable format string and pass external input as separate arguments to the function (e.g., printf("%s", user_input) instead of printf(user_input)). Input validation is not sufficient here; the architecture of the call itself must be corrected to ensure the attacker never gains control over the formatting instructions.
Vulnerability Diagram CWE-134
Format String Vulnerability User input %x %x %s %n C code printf(user_input); %x → reads stack %n → writes memory no fixed format string Memory leak / write → RCE / disclosure Format specifiers in attacker data read or write process memory.
Impact réel

Real-world CVEs caused by CWE-134

  • CVE-2002-1825

    format string in Perl program

  • CVE-2001-0717

    format string in bad call to syslog function

  • CVE-2002-0573

    format string in bad call to syslog function

  • CVE-2002-1788

    format strings in NNTP server responses

  • CVE-2006-2480

    Format string vulnerability exploited by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename.

  • CVE-2007-2027

    Chain: untrusted search path enabling resultant format string by loading malicious internationalization messages

Comment les attaquants l'exploitent

Parcours de l'attaquant étape par étape

  1. 1

    The following program prints a string provided as an argument.

  2. 2

    The example is exploitable, because of the call to printf() in the printWrapper() function. Note: The stack buffer was added to make exploitation more simple.

  3. 3

    The following code copies a command line argument into a buffer using snprintf().

  4. 4

    This code allows an attacker to view the contents of the stack and write to the stack using a command line argument containing a sequence of formatting directives. The attacker can read from the stack by providing more formatting directives, such as %x, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.) By using the %n formatting directive, the attacker can write to the stack, causing snprintf() to write the number of bytes output thus far to the specified argument (rather than reading a value from the argument, which is the intended behavior). A sophisticated version of this attack will use four staggered writes to completely control the value of a pointer on the stack.

  5. 5

    Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc:

Exemple de code vulnérable

Vulnerable C

The following program prints a string provided as an argument.

Vulnérable C 
#include <stdio.h>
  void printWrapper(char *string) {
  		printf(string);
  }
  int main(int argc, char **argv) {
  		char buf[5012];
  		memcpy(buf, argv[1], 5012);
  		printWrapper(argv[1]);
  		return (0);
  }
Exemple de code sécurisé

Secure pseudo

Sécurisé pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention

How to prevent CWE-134

  • Requirements Choose a language that is not subject to this flaw.
  • Implementation Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
  • Build and Compilation Run compilers and linkers with high warning levels, since they may detect incorrect usage.
Signaux de détection

How to detect CWE-134

Automated Static Analysis

This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.

Black Box Limited

Since format strings often occur in rarely-occurring erroneous conditions (e.g. for error message logging), they can be difficult to detect using black box methods. It is highly likely that many latent issues exist in executables that do not have associated source code (or equivalent source.

Automated Static Analysis - Binary or Bytecode High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Bytecode Weakness Analysis - including disassembler + source code weakness analysis Binary Weakness Analysis - including disassembler + source code weakness analysis ``` Cost effective for partial coverage: ``` Binary / Bytecode simple extractor - strings, ELF readers, etc.

Manual Static Analysis - Binary or Bytecode SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies

Dynamic Analysis with Automated Results Interpretation SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Web Application Scanner Web Services Scanner Database Scanners

Dynamic Analysis with Manual Results Interpretation SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Fuzz Tester Framework-based Fuzzer

Correction automatique Plexicus

Plexicus détecte automatiquement CWE-134 et ouvre une PR de correction en moins de 60 secondes.

Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.

Obtenir une démo Essayer Plexicus gratuitement
Questions fréquentes

Frequently asked questions

Qu'est-ce que CWE-134 ?

This vulnerability occurs when a program uses a format string from an untrusted, external source (like user input, a network packet, or a file) in a formatting function (e.g., printf, sprintf). An attacker can craft a malicious format string to read or write memory, potentially crashing the application or executing arbitrary code.

Quelle est la gravité de CWE-134 ?

MITRE évalue la probabilité d'exploitation comme Élevée — cette faiblesse est activement exploitée et doit être priorisée pour la remédiation.

Quels langages ou plateformes sont affectés par CWE-134 ?

MITRE lists the following affected platforms: C, C++, Perl.

Comment puis-je prévenir CWE-134 ?

Choose a language that is not subject to this flaw. Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Comment Plexicus détecte et corrige CWE-134 ?

Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-134 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.

Où puis-je en savoir plus sur CWE-134 ?

MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/134.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.

Faiblesses associées

Weaknesses related to CWE-134

CWE-668 Parent

Exposure of Resource to Wrong Sphere

This vulnerability occurs when an application unintentionally makes a resource accessible to users or systems that should not have…

CWE-1189 Frère

Improper Isolation of Shared Resources on System-on-a-Chip (SoC)

This vulnerability occurs when a System-on-a-Chip (SoC) fails to properly separate shared hardware resources between secure (trusted) and…

CWE-1282 Frère

Assumed-Immutable Data is Stored in Writable Memory

This vulnerability occurs when data that should be permanent and unchangeable—like a bootloader, device IDs, or one-time configuration…

CWE-1327 Frère

Binding to an Unrestricted IP Address

This vulnerability occurs when software or a service is configured to bind to the IP address 0.0.0.0 (or :: in IPv6), which acts as a…

CWE-1331 Frère

Improper Isolation of Shared Resources in Network On Chip (NoC)

This vulnerability occurs when a Network on Chip (NoC) fails to properly separate its internal, shared resources—like buffers, switches,…

CWE-200 Frère

Exposure of Sensitive Information to an Unauthorized Actor

This weakness occurs when an application unintentionally reveals sensitive data to someone who shouldn't have access to it.

CWE-374 Frère

Passing Mutable Objects to an Untrusted Method

This vulnerability occurs when a function receives a direct reference to mutable data, such as an object or array, instead of a safe copy…

CWE-375 Frère

Returning a Mutable Object to an Untrusted Caller

This vulnerability occurs when a method directly returns a reference to its internal mutable data, allowing untrusted calling code to…

CWE-377 Frère

Insecure Temporary File

This vulnerability occurs when an application creates temporary files with insecure permissions or in predictable locations, allowing…

Ressources

Further reading

Prêt quand vous l'êtes

Arrêtez de payer par développeur.
Commencez à fermer la boucle.

Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.

Commencer gratuitement Réserver une démo