1. A common vulnerability created by programmers who use tainted input as the format string for printf() (a common C function). Normally, printf() uses a "format string" to specify how following data will be formatted when printed. For example, when printing the time, you could use the following command: printf("%02d:%02d:%02d", hours, minutes, seconds); This will print the time in a format that looks like "09:15:00" (i.e. quarter after nine). The format string "%02d" means print a decimal number that is 2 digits long, and if the number isn't long enough, put a 0 at the front. Character strings can be printed in a similar manner: printf("greetings=%s", "hello"); This prints the output: greetings=Hello However, if you wanted to be lazy, you could simply program the system: printf("greetings=Hello"); Up to this point, everything is fine. The problem comes about when the string is read from input: g = read_input(); printf(g); The programmer is expecting the user to enter normal input such as "Hi". However, the user could enter something like "die %s". This makes the above statement equivalent to: printf("die %s"); Since there is no following string, this may cause the program to crash. The correct way that this should have been handled is: g = read_input(); printf("%s", g); Printf will treat the first parameter as the format string, but will know not to interpret any formatting characters in subsequent strings. Key point: A popular technique to see if a system is possibly vulnerable to format string bugs is to send the input "%x %x %x". If the hacker sees hex output, then they know the system was vulnerable to format string bugs. From Hacking-Lexicon