Which of the following types of attack makes use of unfiltered user input as the format string parameter in the
printf() function of the C language?
A.
buffer overflows
B.
format string vulnerabilities
C.
integer overflow
D.
code injection
E.
command injection
F.
None of the choices.
Explanation:
Format string attacks are a new class of vulnerabilities recently discovered. It can be used to crash a program
or to execute harmful code. The problem stems from the use of unfiltered user input as the format string
parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and
%x format tokens, among others, to print data from the stack or possibly other locations in memory. One may
also write
arbitrary data to arbitrary locations using the %n format token.