Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Formatting in Java is stricter as compared to traditional languages such as C. Exceptions are thrown if any conversion argument mismatches with the corresponding flag. Although not easily exploitable, it is possible for user input to taint the format string and cause information leakage or denial of service in some casesThe java.io package includes a PrintStream class that has two equivalent formatting methods: format() and printf(). System.out and System.err are PrintStream objects, allowing PrintStream methods to be invoked on the standard output and error streams. The risks from using these methods are not as high as from using similar functions in C or C++  [Seacord 2013]. The standard library implementations throw an exception when any conversion argument fails to match the corresponding format specifier. Although throwing an exception helps mitigate against exploits, if untrusted data is incorporated into a format string, it can result in an information leak or allow a denial-of-service attack. Consequently, unsanitized input from an untrusted source must never be incorporated into format strings.

Noncompliant Code Example

This noncompliant code example demonstrates a careless information leak. The code accepts the credit card expiration date as an input argument and uses it within the format string. In the absence of proper input validation, an artful attacker can observe the very date that has been asked to be inputted. Any of the arguments %1$tm, %1$te or %1$tY can further such an attemptleaks information about a user's credit card. It incorporates untrusted data in a format string.

Code Block
bgColor#FFcccc

import java.util.Calendar;
import java.util.GregorianCalendar;
import static java.util.Calendar.*;

class Format {
  static Calendar c = new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
  public static void main(String[] args) {  
    // args[0] should iscontain the credit card expiration date
    //args[0] can but might contain either %1$tm, %1$te or %1$tY asformat malicious argumentsspecifiers
    //perform comparison with c, if it doesn't match print the following line
    System.out.printf(System.out.format(
      args[0] + " did not match! HINT: It was issued on %1$terd of some month", c
    );
  }
}

Compliant Solution

In the absence of proper input validation, an attacker can determine the date against which the input is verified by supplying an input string that includes the %1$tm, %1$te, or %1$tY format specifiers. In this example, these format specifiers print 05 (May), 23 (day), and 1995 (year), respectively.

Compliant Solution

This compliant solution excludes untrusted user input from the format string. Although arg[0] still may contain one or more format specifiers, they are now rendered inert. The perfect remedy to format string problems is to ensure that user generated input never shows up in format strings. This will safeguard the code from unforeseen exploitation.

Code Block
bgColor#ccccff

import java.util.Calendar;
import java.util.GregorianCalendar;
import static java.util.Calendar.*;

class Format {
  static Calendar c = 
    new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
  public static void main(String[] args) {  
    // args[0] is the credit card expiration date
    //perform Perform comparison with c, 
    // if it doesn't match, print the following line
    System.out.printf("The inputformat(
      "%s did not match! HINT: It was issued on %1$terd%terd of some month", 
      args[0], c
    );
  }
}

Risk Assessment

Allowing user input to taint the Incorporating untrusted data in a format string may cause result in information leakage leaks or allow a denial-of-service attack.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO35

IDS06-J

medium

Medium

probable

Unlikely

high

Medium

P4

L3

Automated Detection

...

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Static analysis tools that perform taint analysis can diagnose some violations of this rule.

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.IDS06.VAFSEnsure the correct number of arguments for varargs methods with format strings
Klocwork

Include Page
Klocwork_V
Klocwork_V

SV.EXEC
SV.EXEC.DIR
SV.EXEC.ENV
SV.EXEC.LOCAL
SV.EXEC.PATH
Implemented

Related Guidelines

...

...

...

...

ISO/IEC TR 24772:2013

Injection [RST]

MITRE CWE

CWE-134, Uncontrolled Format String

Bibliography


...

Image Added Image Added Image Added

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [Class Formatter|http://java.sun.com/javase/6/docs/api/java/util/Formatter.html]
\[[Seacord 05|AA. Java References#Seacord 05]\] Chapter 6, Formatted Output

FIO33-J. Do not allow serialization and deserialization to bypass the Security Manager      07. Input Output (FIO)      08. Concurrency (CON)