PScan bills itself as a limited problem scanner. It's purpose it to find unsafe usage of printf type library calls in C code and report them. PScan is intended primarily for auditing source code for vulnerabilities. It parses a C source file, and checks for fuctions that take printf style format strings as parameters. If one of the arguments is a constant string that contains a conversion specifier, the call is assumed to be OK, and is not reported as a possible vulnerability. For example, the following would be flagged:
sprintf(stderr, variable);
If the contents of variable are determined by user input, it's possible that an attacker could place their own conversion specifiers in variable in order to perform a buffer overflow attack. Because of how function calls with a variable number of arguments are implemented, and we haven't passed sprintf a string containing a conversion specifier as it expects, strings such as "%x" or "%n" appearing in the contents of variable will be treated as conversion specifiers. For details on how such an attack might be performed, see this Bugtraq posting: http://www.striker.ottawa.on.ca/~aland/pscan/format_bugs.txt The following line of code would not be flagged by PScan:
sprintf(stderr, "%s", variable);
Since the second argument contains a conversion specifier, this does not present a security issue.
Pros
Rating: Could be of use. Can be used to audit code for one type of buffer overflow vulnerability rather quickly. It's not immediately apparent that this tool would help uncover any of the vulnerabilities in the NASA top 50, but it's possible. PScan is available from http://www.striker.ottawa.on.ca/~aland/pscan/
Axes