http://cwe.mitre.org/data/definitions/134.html
Example 2
The following code copies a command line argument into a bufferusing snprintf().
This code allows an attacker to view the contents of the stack andwrite to the stack using a command line argument containing a sequenceof formatting directives. The attacker can read from the stack byproviding more formatting directives, such as %x, than the functiontakes as arguments to be formatted. (In this example, the function takesno arguments to be formatted.) By using the %n formatting directive, theattacker can write to the stack, causing snprintf() to write the numberof bytes output thus far to the specified argument (rather than readinga value from the argument, which is the intended behavior). Asophisticated version of this attack will use four staggered writes tocompletely control the value of a pointer on the stack.
扫一扫
528
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
