On Wed, Jun 06, 2007 at 07:29:26AM -0700, Ian Lance Taylor wrote: > Olivier Hainque <[EMAIL PROTECTED]> writes: > > > genmodes.c uses the %n capabilities of printf to compute the width of > > pieces it outputs. This causes troubles on Windows Vista, because ... > > > > << Because of security reasons, support for the %n format specifier is > > disabled by default in printf and all its variants. ... the default > > behavior is to invoke the invalid parameter handler ... > > >> > > [http://msdn2.microsoft.com/en-us/library/ms175782%28VS.80%29.aspx] > > > > It seems to me that we could replace the uses of %n by uses of printf > > return values. I'm not clear whether this would be considered portable > > enough, however. > > What is the security issue here? I'm not seeing it. Are they > concerned that attackers will modify the print control string somehow?
There is/was a lot of code that does exactly that, a user can manipulate the format strings (normally unintentionally, through lazy coding). http://en.wikipedia.org/wiki/Format_string_attacks A simple stack overflow might also allow you to write to arbitary locations in memory. Eg: int n = 0; char buf[16] = { 0 }; int* n_ptr = &n; gets(buf); // might overflow into n_ptr printf("%s %n", buf, n_ptr); which basically lets a remote attacker twiddle arbitrary bits in memory. This looks contrived (and it is), but there have been attacks against real running systems that exploited code not far off from this. (That said disabling %n seems pretty futile, there are many more obvious ways to write horrible insecure code in C). -Jack
