Formatting in Java is stricter than traditional languages such as C. If any conversion argument mismatches with the corresponding flag, appropriate exceptions are thrown. Although not easily exploitable, it is possible for user input to taint the format string and cause information leaks or denial of serviceThe java.io
package includes a PrintStream
class that has two equivalent formatting methods: format()
and printf()
. System.out
and System.err
are PrintStream
objects, allowing PrintStream
methods to be invoked on the standard output and error streams. The risks from using these methods are not as high as from using similar functions in C or C++ [Seacord 2013]. The standard library implementations throw an exception when any conversion argument fails to match the corresponding format specifier. Although throwing an exception helps mitigate against exploits, if untrusted data is incorporated into a format string, it can result in an information leak or allow a denial-of-service attack. Consequently, unsanitized input from an untrusted source must never be incorporated into format strings.
Noncompliant Code Example
This noncompliant code example demonstrates an information leak issue. The code accepts the credit card expiration date as an input argument and uses it within the format string. In the absence of proper input validation, an artful attacker can glean the date against which the input is being verified. Any of the arguments %1$tm, %1$te or %1$tY
can aid such an attempt.leaks information about a user's credit card. It incorporates untrusted data in a format string.
Code Block | ||
---|---|---|
| ||
class Format { static Calendar c = new GregorianCalendar(1995, GregorianCalendar.MAY, 23); public static void main(String[] args) { // args[0] should iscontain the credit card expiration date // args[0] canbut might contain either %1$tm, %1$te or %1$tY asformat malicious argumentsspecifiers // First argument prints 05 (May), second prints 23 (day) and third prints 1995 (year) // Perform comparison with c, if it doesn't match print the following line System.out.printf(System.out.format( args[0] + " did not match! HINT: It was issued on %1$terd of some month", c ); } } |
In the absence of proper input validation, an attacker can determine the date against which the input is verified by supplying an input string that includes the %1$tm
, %1$te
, or %1$tY
format specifiers. In this example, these format specifiers print 05 (May), 23 (day), and 1995 (year), respectively.
Compliant Solution
The best remedy for format string problems is to ensure that user generated input never shows up in format strings.This compliant solution excludes untrusted user input from the format string. Although arg[0]
still may contain one or more format specifiers, they are now rendered inert.
Code Block | ||
---|---|---|
| ||
class Format { static Calendar c = new GregorianCalendar(1995, GregorianCalendar.MAY, 23); public static void main(String[] args) { // args[0] is the credit card expiration date // Perform comparison with c, // if it doesn't match, print the following line System.out.printf("The inputformat( "%s did not match! HINT: It was issued on %1$terd%terd of some month", args[0], c ); } } |
Risk Assessment
Allowing user input to taint the Incorporating untrusted data in a format string may cause result in information leaks or allow a denial-of-service attack.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|
IDS06-J |
Medium |
Unlikely |
Medium | P4 | L3 |
Automated Detection
...
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
Static analysis tools that perform taint analysis can diagnose some violations of this rule.
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
The Checker Framework |
| Tainting Checker | Trust and security errors (see Chapter 8) | ||||||
Parasoft Jtest |
| CERT.IDS06.VAFS | Ensure the correct number of arguments for varargs methods with format strings | ||||||
Klocwork |
| SV.EXEC SV.EXEC.DIR SV.EXEC.ENV SV.EXEC.LOCAL SV.EXEC.PATH | Implemented |
Related Guidelines
...
...
...
...
Injection [RST] | |
CWE-134, Uncontrolled Format String |
Bibliography
[API 2006] | |
Chapter 6, "Formatted Output" | |
[Seacord 2015] |
...
References
Wiki Markup |
---|
\[[API 06|AA. Java References#API 06]\] [Class Formatter|http://java.sun.com/javase/6/docs/api/java/util/Formatter.html]
\[[Seacord 05|AA. Java References#Seacord 05]\] Chapter 6, Formatted Output
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 674|http://cwe.mitre.org/data/definitions/674.html] "Uncontrolled Format String" |
FIO32-J. Ensure all resources are properly closed when they are no longer needed 09. Input Output (FIO) FIO34-J. Do not create temporary files in shared directories