Basic explanation of sscanf function :
int sscanf( const char *buffer, const char *format, ... );
format - pointer to a null-terminated character string specifying how to read the input.
- (optional) integer number (greater than zero) that specifies maximum field width, that is, the maximum number of characters that the function is allowed to consume when doing the conversion specified by the current conversion specification. Note that %s and %[ may lead to buffer overflow if the width is not provided.
int main (int argc, char* argv[])
{
char str[256];
sscanf (argv[1],"%s",str);
return 0;
}
Instruction pointer was overwritten by user controlled stack values as a classical stack overflow shown below;
gdb-peda$run `perl -e 'print "\x90" x 264 . "\x42" x 8 '`
gdb-peda$ i f 1
Stack frame at 0x7fffffffe2a8:
rip = 0x4242424242424242; saved rip 0x0
called by frame at 0x7fffffffe2b0, caller of frame at 0x7fffffffe2a0
Secure Code: [ width was defined one less to reserve null byte ]
#include
int main (int argc, char* argv[])
{
char str[256];
sscanf (argv[1],"%255s",str);
return 0;
}
When the same payload send as usual nothing happens.
Now Let's look more than 20 years of X.org server bug, this was disclosed on this 2014. The root cause was insecure usage of sscanf function while parsing bdf file format. File format parsers written in C is always dangerous sometimes hidden like decades -::]
CVE-2013-6462: unlimited sscanf overflows stack buffer in bdfReadCharacters()
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
index e2770dc..e11c5d2 100644
--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
@@ -338,7 +338,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
char charName[100];
int ignore;
char charName[100];
int ignore;
- if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+ if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
bdfError("bad character name in BDF file\n");
goto BAILOUT; /* bottom of function, free and return error */
+ if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
bdfError("bad character name in BDF file\n");
goto BAILOUT; /* bottom of function, free and return error */