> ## Documentation Index
> Fetch the complete documentation index at: https://rootea.es/llms.txt
> Use this file to discover all available pages before exploring further.

# Format String vulnerability

> printf(user_input) sin format string.

# Format String vulnerability

<p className="glossary-answer">printf(user\_input) sin format string.</p>

**Categoría:** [Pwn / Exploit dev](/glosario)

🎯 **Trinchera** — `printf(user_input)` sin format string. Si el
input contiene `%x %x %x` lees el stack; con `%n` escribes a
direcciones arbitrarias.

🔗 **Kill chain** — Leak de pointers para bypass ASLR; escribir a
GOT entry para hijack control flow.

📡 **Huella defensiva** — Logs con muchos `%` sospechosos;
crashes en `printf` family.

⚠️ **Falso amigo** — En 64-bit los args van en registros, no
stack — la explotación requiere más gadgets.

🛡️ **Remediación** — Compilar con `-Wformat -Wformat-security`;
nunca pasar input directamente a `printf` family.

***

← [Volver al glosario completo](/glosario)

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"DefinedTerm","name":"Format String vulnerability","description":"printf(user_input) sin format string.","inDefinedTermSet":{"@type":"DefinedTermSet","name":"Glosario táctico de pentesting","url":"https://rootea.es/glosario"},"url":"https://rootea.es/glosario/format-string-vulnerability"}`}
</script>

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Inicio","item":"https://rootea.es"},{"@type":"ListItem","position":2,"name":"Glosario táctico","item":"https://rootea.es/glosario"},{"@type":"ListItem","position":3,"name":"Format String vulnerability","item":"https://rootea.es/glosario/format-string-vulnerability"}]}`}
</script>

*Última actualización: 2026-06-11*
