Automated Audit Example: pscan

pscan is a package which is designed to audit C and C++ source files for format string vulnerabilities.

It is not a general purpose auditing tool.

Running pscan

Running pscan is a simple matter of invoking it with the name of a file, or files, to check. For example:

pscan test.c

The output will be written directly to the console:

test.c:42 SECURITY: printf call should have "%s" as argument 0

The Output

The output in this case is easy to understand. It has correctly identified the fact that the printf call doesn't quote it's arguments properly.

The output also shows us what we must do to correct the flaw, change the code which reads:

printf( buff );

To read:

printf( "%s", buff );

Not doing this could allow an attacker who can control the output of ls to attack the program, by creating a file called "%s", or similar.

Format string attacks are discussed in this Security Focus introduction.

The Secure Programming for Linux and Unix HOWTO explains how to protect against these attacks in commonly used variadic functions such as:

Back to the auditing project | Back to the sample auditing page