44CON slides and details about further Windows kernel font vulnerabilities

Since my last blog post and the REcon conference in June, I have continued working on font security, especially in the area of Windows kernel and font engines derived from the Adobe Type Manager Font Driver. More specifically, I moved from manually auditing PostScript Charstring implementations to running automated fuzz-testing of the overall font-handling code; after all, font files are so much more than just the glyph outline programs. The Windows kernel fuzzing initiative started in May this year and has already resulted in having 7 OpenType (ATMFD.DLL) and 4 TrueType (win32k.sys) security issues fixed in the operating system in the August Patch Tuesday. Details of the vulnerabilities are now publicly available in the google-project-zero bug tracker:

    1. Windows Kernel win32k.sys TTF pool-based buffer overflow in the IUP[] program instruction (CVE-2015-2455)
    2. Windows Kernel ATMFD.DLL OTF pool-based buffer overflow with malformed GPOS table (CVE-2015-2426)
    3. Windows Kernel win32k.sys TTF pool-based buffer overflow in win32k!scl_ApplyTranslation (CVE-2015-2456)
    4. Windows Kernel ATMFD.DLL OTF out-of-bounds reads from the input CharString stream (CVE-2015-2458)
    5. Windows Kernel ATMFD.DLL OTF invalid memory access due to malformed CFF table (CVE-2015-2459)
    6. Windows Kernel ATMFD.DLL OTF invalid memory access due to malformed CFF table (CVE-2015-2460)
    7. Windows Kernel ATMFD.DLL OTF write to uninitialized address due to malformed CFF table (CVE-2015-2432)
    8. Windows Kernel ATMFD.DLL OTF out-of-bounds read due to malformed Name INDEX in the CFF table (CVE-2015-2461)
    9. Windows Kernel ATMFD.DLL OTF out-of-bounds read due to malformed FDSelect offset in the CFF table (CVE-2015-2462)
    10. Windows Kernel win32k.sys TTF out-of-bounds pool memory access in win32k!fsc_RemoveDups (CVE-2015-2463)
    11. Windows Kernel win32k.sys TTF out-of-bounds pool write in win32k!fsc_BLTHoriz (CVE-2015-2464)

Read more