44CON slides and details about further Windows kernel font vulnerabilities

Since my last blog post and the REcon conference in June, I have continued working on font security, especially in the area of Windows kernel and font engines derived from the Adobe Type Manager Font Driver. More specifically, I moved from manually auditing PostScript Charstring implementations to running automated fuzz-testing of the overall font-handling code; after all, font files are so much more than just the glyph outline programs. The Windows kernel fuzzing initiative started in May this year and has already resulted in having 7 OpenType (ATMFD.DLL) and 4 TrueType (win32k.sys) security issues fixed in the operating system in the August Patch Tuesday. Details of the vulnerabilities are now publicly available in the google-project-zero bug tracker:

    1. Windows Kernel win32k.sys TTF pool-based buffer overflow in the IUP[] program instruction (CVE-2015-2455)
    2. Windows Kernel ATMFD.DLL OTF pool-based buffer overflow with malformed GPOS table (CVE-2015-2426)
    3. Windows Kernel win32k.sys TTF pool-based buffer overflow in win32k!scl_ApplyTranslation (CVE-2015-2456)
    4. Windows Kernel ATMFD.DLL OTF out-of-bounds reads from the input CharString stream (CVE-2015-2458)
    5. Windows Kernel ATMFD.DLL OTF invalid memory access due to malformed CFF table (CVE-2015-2459)
    6. Windows Kernel ATMFD.DLL OTF invalid memory access due to malformed CFF table (CVE-2015-2460)
    7. Windows Kernel ATMFD.DLL OTF write to uninitialized address due to malformed CFF table (CVE-2015-2432)
    8. Windows Kernel ATMFD.DLL OTF out-of-bounds read due to malformed Name INDEX in the CFF table (CVE-2015-2461)
    9. Windows Kernel ATMFD.DLL OTF out-of-bounds read due to malformed FDSelect offset in the CFF table (CVE-2015-2462)
    10. Windows Kernel win32k.sys TTF out-of-bounds pool memory access in win32k!fsc_RemoveDups (CVE-2015-2463)
    11. Windows Kernel win32k.sys TTF out-of-bounds pool write in win32k!fsc_BLTHoriz (CVE-2015-2464)

Interestingly enough, two of the vulnerabilities turned out to have collided with the work of other, external researchers: CVE-2015-2426 (.OTF bug) was also discovered in the leaked Hacking Team data dump and subsequently fixed by Microsoft in an out of band security bulletin on 20 July 2015 (MS15-078), while CVE-2015-2455 (.TTF bug) was found and successfully exploited by the Keen Team during the pwn2own competition this year.

Just last week I had the pleasure to attend the 44CON conference in London, and give a talk called “Reverse engineering and exploiting font rasterizers: the OpenType saga”. The presentation was divided into three chapters, discussing an interesting FreeType vulnerability in a CFF rasterizer contributed by Adobe (an arbitrary out-of-bounds stack-based write access) and how it was incorrectly patched the first time, then explaining the details of the Charstring vulnerabilities in ATMFD and its derivatives fixed in March and May, and finally outlining my recent fuzzing activity and its results. The slide deck can be found below for your amusement:

Reverse engineering and exploiting font rasterizers: the OpenType saga (PDF, 8.69MB)

Lastly, during the course of the last few weeks I have published several posts on the official Google Project Zero blog. The first four of them make a sort of a whitepaper accompanying the REcon slides, as they discuss the discovery and exploitation process of the BLEND vulnerability, providing some further context and historical background for the curious:

  1. One font vulnerability to rule them all #1: Introducing the BLEND vulnerability
  2. One font vulnerability to rule them all #2: Adobe Reader RCE exploitation
  3. One font vulnerability to rule them all #3: Windows 8.1 32-bit sandbox escape exploitation
  4. One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation

More recently, I have also described the exploitation of a universal OpenType memory disclosure vulnerability affecting the Windows kernel (ATMFD), DirectWrite, Adobe Reader (CoolType), WPF and Oracle Java, on the example of Internet Explorer, one of DirectWrite’s users:

  1. Enabling QR codes in Internet Explorer, or a story of a cross-platform memory disclosure

And that’s it! I hope you enjoy reading the posts as much as I enjoyed working on them, and stay tuned for more font-related disclosures soon!