Format string bugs become a problem

Security experts have discovered a fresh family of techniques that could use the internationalisation features of operating systems to attack computer systems.

These format string vulnerabilities subvert the internationalisation features found on many operating systems as a mechanism to obtain privileged access and run malicious code.

Programs use the localisation features to display messages in the correct language. In normal operation, a program that needs to display a message to the user will obtain the proper language specific string from a database using the original message as the search key and print the results using a particular family of functions. But it has now been found that this can be subverted.

By building and installing a customised message database, an attacker can control the output of the message retrieval functions that get fed to those family of functions.

For example, this week Argentinean security firm Core SDI issued a security alert, Unix locale format string vulnerability, which detailed an exploit that affects Linux and Unix systems, and can be remotely exploited.

In a security notice Core SDI explained: "Bad coding practices and the ability to feed format strings to the later functions makes it possible for an attacker to execute arbitrary code as a privileged user (root) using almost any SUID [set userID] program on the vulnerable systems."

The alert has triggered a string of notices from most Linux and Unix vendors advising users how to deal with the problem.

Ivan Arce, president of Core SDI, said that format string bugs represent a growing trend of security vulnerabilities, and were also known to affect systems based on Microsoft NT as well as Unix.

"Format string bugs have been known for quite some time, but lately a 'string' of format string vulnerabilities has appeared," said Arce.

He said that while some programming knowledge is required, format string bugs are generally not difficult to exploit.

Arce stressed that it was far from an academic issue and a number of real-world exploits of format string vulnerabilities have already been recorded. Format string vulnerabilities in popular packages such as Wu-ftpd have also been recorded, he added.

Roy Hills, testing development director at security firm NTA Monitor, said that he had yet to come across format string vulnerabilities in the field.

"Manufacturers need to get on top of this quickly - perhaps by restricting message libraries," said Hills. "Everyone in the security industry is holding their breath waiting to see how serious format string problems will become."