Structure and Interpretation of Computer Programmers

I make it easier and faster for you to write high-quality software.

Sunday, May 9, 2010

On localisation and security

Hot on the heels of Uli’s post on the problems of translation, I present another problem you might encounter while localising your code. This is a genuine bug (now fixed, of course) in code I have worked on in the past, only the data has been changed to protect the innocent.

We had a crash in the following line:

NSString *message = [NSString stringWithFormat:
	NSLocalizedString(@"%@ problems found", @"Discovery message"),
	problem];

Doesn’t appear to be anything wrong with that, does there? Well, as I say, it was a crasher. The app only crashed in one language though…for purposes of this argument, we’ll assume it was English. Let’s have a look at English.lproj/Localizable.strings:

/* Discovery message */
"%@ problems found" = "%@ found in %@";

Erm, that’s not so good. It would appear that at runtime, the variadic method +[NSString stringWithFormat: (NSString *)fmt, ...] is expecting two arguments to follow fmt, but only passed one, so it ends up reading its way off the end of the stack. That’s a classic format string vulnerability, but with a twist: none of our usual tools (by which I mean the various -Wformat flags and the static analyser) can detect this problem, because the format string is not contained in the code.

This problem should act as a reminder to ensure that the permissions on your app’s resources are correct, not just on the binary—an attacker can cause serious fun just by manipulating a text file. It should also suggest that you audit your translators’ work carefully, to ensure that these problems don’t arise in your app even without tampering.

posted by Graham at 00:39  

2 Comments

  1. This is not a classic format string vulnerability. In a classic format string, the attacker controls the format string.

    Comment by Bob — 2010-05-09 @ 15:58

  2. In this case, the code has loaded a file from an unknown filesystem and decided to interpret it as a format string. Any proof that the attacker cannot control that is cautiously awaited :-).

    Comment by Graham — 2010-05-28 @ 17:11

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress