Page Two

By Cameron Sturdevant  |  Posted 2005-03-21 Print this article Print

A format-string vulnerability occurs when user-supplied data is handled incorrectly—usually in the C language—and is passed by a program directly as a format string. A talented attacker can then craft a string that overwrites memory locations with the attackers input.

Most IT managers likely will not have time to practice with this hack because it requires extensive tinkering to work correctly. If thats the case, a good way to get familiar with the hack is to use eWEEK Labs favorite open-source vulnerability assessment tool—used by people wearing both white and black hats—Nessus (

As with all the categories of hacking tools described in this article (and as with many esoteric hacking tools that are not discussed here), the Nessus tool has several plug-ins that can reveal format-string and other vulnerabilities. By becoming familiar with Nessus format-string plug-in, IT managers can get a very good feel for how a format-string attack will look and act.

In fact, its well worth any IT managers time to poke around at the Nessus site, paying close attention to the plug-in library. We recommend installing Nessus in the organizations test network and subscribing to the Nessus plug-in feed, which can be the only way to get the latest additions to the Nessus tool.

Spending even a short amount of time reading about the purpose and use of a Nessus plug-in will provide valuable insight into the operation of many hacking tools—and certainly the vulnerabilities that these tools seek to exploit.

This is also a good way to understand directory traversal hacks, which, like buffer overflows and format-string attacks, use custom code to cause a program malfunction to gain escalated user privilege.

Defaults, back doors and misconfiguration

There is a whole class of hacking "tools" that are nothing more than expert knowledge of a particular application or operating system combined with poor security practices by the IT implementer.

Early in the methodical stalking of an IT resource, hackers will enumerate and identify systems in a network, looking for something of interest. After identifying an interesting target, smart hackers will gently test to see if any part of a system was left in a default configuration. Such a configuration provides easy back-door entry into what might look from the front like an impregnable fortress.

To avoid leaving these back doors open, or even ajar, eWEEK Labs recommends that IT managers add a section to any RFP (request for proposal) that requires vendors to supply instructions and tools for hardening their respective products.

Vendors that are unable to provide this kind of assistance—at no extra cost or at a nominal fee for custom work—should be passed over in favor of suppliers that can help IT lock out hacking tools.

We also recommend training users early and often about how to avoid social hacks such as e-mail phishing and the dreaded Post-It Note attack.

Next page: Web resources: Hacking tools.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel