[SDL] Re: SDL Digest, Vol 11, Issue 33

[Alex]

> Message: 1
> Date: Tue, 29 Mar 2005 00:39:36 +0300
> From: Petri Latvala <adrinael at nuclearzone.org>
> Subject: Re: [SDL] Re: How do I get SDL_TTF to print out numbers?
> To: Wes Wannemacher <techgeek at gmail.com>,       "A list for developers using
>         the SDL library. (includes SDL-announce)"       <sdl at libsdl.org>
> Message-ID: <20050328213936.GH4535 at adrinael.net>
> Content-Type: text/plain; charset="us-ascii"
> 
> On Mon, Mar 28, 2005 at 11:08:15AM -0500, Wes Wannemacher wrote:
> > int
> > main(int argc, char ** argv)
> > {
> >     char name[40];
> >     printf("enter your name: ");
> >     scanf("%s", &name);
> >     printf("your name is: %s\n", name);
> >     return 0;
> > }
> >
> > I've heard that if you pass format characters through the prompt you
> > can potentially gain access to other information in the stack.
> 
> Yes, if you use printf this way:
> 
> printf(name);
> 
> Then name can contain format characters, and they will be parsed and
> stack will be read.
> 
> --
> Petri Latvala

Not only can memory be potentially read but control may be taken of
program execution.

ANSI-C contains a format string character, %n, which writes the
amounts of bytes written to the corresponding argument. An attacker
can also take advantage of $1,$20,$300, etc argument control to choose
where he is writing. Then values can be arbritrarily increased with
something like %43894d . Think about this, they can write anywhere
they want with any value they want. Always use format strings for
functions which expect them. syslog, printf, etc.