A new class of vulnerabilities
discovered in June 2000. Prior to that, format-string attacks were believed to
be harmless. The problem seems to be rooted in the use of unfiltered user input
in the format string parameter in various C programming
languageÂ’s functions that perform formattingÂ—such as the printf() function format
string. A cracker could, for example, use %s and %x format tokens to print from
the stack or from other memory locations. Using the %n format token, crackers
could insert carefully crafted code into the memory space of a running program
and have it be executed. This software flaw has resulted in discovered
vulnerabilities in more than 150 common tools.
Exploit; Programming Languages C, C++, Perl, and Java.
Farlex, Inc. The Free Dictionary: Format String Attacks. [Online, 2004.]
Farlex, Inc. Website. http://encyclopedia.thefreedictionary.com/Format%20string%20attacks.