I studied vulnerabilities in string format, and this is the first time I have ever heard of %n. And I do not understand why it exists.
Well, of course, I can imagine cases where you would like to know how many characters you have written so far. But there are many other ways to find the length of a string, but %nit seems like a weird approach. This, unlike all other format specifiers, since it is not written to a string, it writes to another location specified manually in memory. And because it is so unintuitive - who would expect printf to write to arbitrary memory? “He seems to have obvious potential for creating security holes.” If someone does not warn you about format string vulnerabilities, you will never think about it.
There must have been a reason for this. But what was that? Or were the problems described above simply not considered serious at the time?
source
share