Programmer's Ultimate Security DeskRef

Programmer's Ultimate Security DeskRef C

_cprintf

Prototype: int _cprintf( const char *format [, argument] ... )

Summary: This function formats and outputs a string to the console.

Description: Using the input string "format" this function will output a string to the console. It uses the inputs to define the format of the output string and the content. The format (and content) is held in the constant string "format", and the argument (if any) provides values to variables and additional content. The formatting is similar to that of printf. The function returns the number of characters printed to the console.

Risk: This function is potentially vulnerable to a format string attack where an attacker could cause the application to crash unexpected or execute arbitrary code. Format string bugs were discovered in 2000 and the problem is typically spawned from user input that is not properly filtered. Both Microsoft .Net and SPI Dynamics to name two have secure objects that can be implemented to check strings and user input gained from human sources within applications to protect against input-directed vulnerabilities. It is critical that you verify the inputted data have only proper and expected characters in addition to ensuring that your function is properly called. For example, the functions should always utilize their parameters such as printf("%s", malicious_string) instead of printf(malicious_string).

Note: At time of publication, this function was designed for Windows compatibility.

Additional Resources: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore98/html/_crt__cprintf.asp

Impact: Medium

Cross References: _cscanf, fprintf, printf, sprintf, vfprint

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Barcode Decoders
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.