Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
You may have noticed that if your code calls functions in the sprintf family and the format template string uses the %n parameter, then it fails to run correctly after it is compiled with Visual Studio 2005. Why? Well, it's pretty simple, by default we disabled support for %n because it can be a security issue if arguments used by sprintf come from an attacker and are not validated correctly. It also turns out very few developers use %n.
%n means "write this number of characters written so far to the buffer at an address in the function argument list". If the attacker has a good deal of freedom when calling this function, then the attacker can essentially spray any value in memory.
If you must enable %n in your code, you need to call _set_printf_count_output.
Comments
Anonymous
September 28, 2006
Whatever Happened to sprintf(..., "%n", ...)? Strsafe.h: Safer String Handling in C SecurityAnonymous
October 02, 2006
A couple of years ago, I replaced libc's %n handling with an abort() on one of my FreeBSD machines and I never had anything crash because of it (the machine is retired now). %n seems rare indeed.Anonymous
October 03, 2006
PingBack from http://www.matasano.com/log/536/format-string-protection-disabling-n-by-default/Anonymous
October 24, 2006
Does the same apply to the scanf family too?? I really don't see that %n is any great security exposure, over and above the inherent security flaws in sprintf itself. Can you think of an example where an attacker could take advantage of %n to do 'useful' damage to a system, because I'm not sure I can.Anonymous
October 24, 2006
'useful' damage to a system? lol. like in the case of DoS?Anonymous
October 25, 2006
>>scanf nope - sprintf only right now.