fprintf

This function is similar to printf(), but it writes the formatted output to a file rather than to the terminal.

Prototype

int fprintf(FILE *stream, const char *format, ...);

This function is similar to printf(), but it writes the formatted output to a file rather than to the terminal. It takes a file pointer as the first argument and a format string as the second argument, and it can take additional arguments that provide the data to be formatted and written to the file.

Vulnerable example

#include <stdio.h>

int main(int argc, char *argv[]) {
    char *user_input;
    user_input = argv[1];
    FILE *output_file = fopen("output.txt", "w");
    fprintf(output_file, user_input);
    fclose(output_file);
    return 0;
}

the fprintf() function is being called with a file pointer and a format string as arguments. The file pointer, output_file, points to a file called "output.txt", and the format string is provided by the user as the first command-line argument.

Prevent

There is multiple ways to prevent format string exploitation :

  • Check the input for certain characters or patterns that may indicate an attempt to exploit the function, and replace or remove these characters as necessary. For example, check the input for the % character, which is used to introduce formatting commands in the format string, and replace it with a different character or remove it entirely.

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
    char *user_input;
    user_input = argv[1];

    // Replace any instances of the % character with a space
    int i;
    for (i = 0; i < strlen(user_input); i++) {
        if (user_input[i] == '%') {
            user_input[i] = ' ';
        }
    }

    FILE *output_file = fopen("output.txt", "w");
    fprintf(output_file, user_input);
    fclose(output_file);
    return 0;
}
  • Use a different function to print the user input. For example, use the fputs() function, which writes a string to a file but does not interpret formatting commands.

#include <stdio.h>

int main(int argc, char *argv[]) {
    char *user_input;
    user_input = argv[1];

    // Write the user input to the file using the fputs() function
    FILE *output_file = fopen("output.txt", "w");
    fputs(user_input, output_file);
    fclose(output_file);
    return 0;
}
  • Use the %s formatting command to print the user input, rather than using the user input as the format string itself. This will prevent the printf() function from interpreting the user input as a format string.

#include <stdio.h>

int main(int argc, char *argv[]) {
    char *user_input;
    user_input = argv[1];

    // Print the user input using the %s formatting command
    FILE *output_file = fopen("output.txt", "w");
    fprintf(output_file, "%s", user_input);
    fclose(output_file);

    return 0;
}

It is important to choose the right approach based on your specific needs and the requirements of your program. It may also be necessary to combine multiple approaches to effectively prevent format string exploits.

Last updated