[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

Windows ATMFD.DLL CFF table (ATMFD+0x34072 / ATMFD+0x3407b) Invalid Memory Access Exploit

Author
Google Security Research
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-24112
Category
dos / poc
Date add
21-08-2015
CVE
CVE-2015-2459
Platform
windows
Source: https://code.google.com/p/google-security-research/issues/detail?id=383&can=1
 
We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file:
 
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff67a024, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 98b54072, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 00000000, (reserved)
 
Debugging Details:
------------------
 
*** ERROR: Module load completed but symbols could not be loaded for ATMFD.DLL
 
READ_ADDRESS:  ff67a024 Paged session pool
 
FAULTING_IP: 
ATMFD+34072
98b54072 8b700c          mov     esi,dword ptr [eax+0Ch]
 
MM_INTERNAL_CODE:  0
 
IMAGE_NAME:  ATMFD.DLL
 
DEBUG_FLR_IMAGE_TIMESTAMP:  54e6a55a
 
MODULE_NAME: ATMFD
 
FAULTING_MODULE: 98b20000 ATMFD
 
DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
 
BUGCHECK_STR:  0x50
 
PROCESS_NAME:  csrss.exe
 
CURRENT_IRQL:  2
 
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
 
TRAP_FRAME:  9d793d9c -- (.trap 0xffffffff9d793d9c)
ErrCode = 00000000
eax=ff67a018 ebx=fbea4830 ecx=00000000 edx=00000000 esi=fbffe7c0 edi=fbffe7c0
eip=98b54072 esp=9d793e10 ebp=9d793e38 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
ATMFD+0x34072:
98b54072 8b700c          mov     esi,dword ptr [eax+0Ch] ds:0023:ff67a024=????????
Resetting default scope
 
LAST_CONTROL_TRANSFER:  from 82714ce7 to 826b02d8
 
STACK_TEXT:  
9d7938ec 82714ce7 00000003 8d6243ee 00000065 nt!RtlpBreakWithStatusInstruction
9d79393c 827157e5 00000003 00000000 00002522 nt!KiBugCheckDebugBreak+0x1c
9d793d00 826c3391 00000050 ff67a024 00000000 nt!KeBugCheck2+0x68b
9d793d84 82675c48 00000000 ff67a024 00000000 nt!MmAccessFault+0x104
9d793d84 98b54072 00000000 ff67a024 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be wrong.
9d793e38 98b4d5b5 fbffe7c0 fbea4830 00000f5c ATMFD+0x34072
9d794544 98b4f6e0 fbbfac70 98b5f028 9d794790 ATMFD+0x2d5b5
9d794600 98b427ae fbbfac70 98b5f028 9d794790 ATMFD+0x2f6e0
9d7946ec 98b42858 fbbfac70 9d794790 9d794814 ATMFD+0x227ae
9d794718 98b332b2 fbbfac70 98b5f028 9d794790 ATMFD+0x22858
9d79487c 98b33689 0000000b 9d79499c fad3ef00 ATMFD+0x132b2
9d7948d0 98b2406d 0000000b 9d79499c 00000000 ATMFD+0x13689
9d794924 9888dcf2 ff7a5010 fad30cf0 00000001 ATMFD+0x406d
9d79496c 988767cb ff7a5010 fad30cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
9d7949e0 988a1513 ffa6a130 fb23bd40 0000134b win32k!xInsertMetricsRFONTOBJ+0x9c
9d794a14 988a35f5 00000020 9d794aec 9d794c8a win32k!RFONTOBJ::bGetGlyphMetrics+0x131
9d794cb8 988b6684 0c010385 00001360 00000040 win32k!GreGetCharABCWidthsW+0x147
9d794d14 82672a66 0c010385 00001340 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
9d794d14 772b70f4 0c010385 00001340 00000040 nt!KiSystemServicePostCall
0017ed34 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
---
 
The crash represents a read from invalid memory; prior to being dereferenced as an address, the EAX register is loaded with a value from ESI+0x34 (on 32-bit Windows), which points into an "Adbe" pool allocation:
 
---
kd> !pool fbffe7c0
Pool page fbffe7c0 region is Special pool
Address fbffe000 does not belong to any pool
*fbffe000 size:  898 data: fbffe768 (Paged session) *Adbe
        Pooltag Adbe : Adobe's font driver
---
 
The crash is always caused by an attempt to access memory at a constant offset past the memory page boundary (0x24 on 32-bit platforms), and the surrounding code is a loop over a linked list of structures. The EAX register at the time of the crash holds a [F/B]link address which points to unmapped memory, potentially suggesting that the root cause of the crash is a use-after-free condition, or some kind of corruption of the linked list. Since the invalid address is later used to manipulate memory, we expect that this issue could be used to achieve remote code execution in the security context of the Windows kernel.
 
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it should also be possible to observe a crash on a default Windows installation in ATMFD.DLL.
 
Attached is an archive with a proof of concept font file together with a corresponding kernel crash log.
 
------------------------------------------------------------------------------------------------------------------------------------------
 
We have also encountered a number of crashes where the read operation discussed above succeeds (moving the contents of [eax+0Ch] to esi), and a respective attempt to access the [esi+34h] address fails a few instructions later; for example:
 
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffb8034, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 9486407b, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 00000000, (reserved)
 
Debugging Details:
------------------
 
 
Could not read faulting driver name
 
READ_ADDRESS: GetPointerFromAddress: unable to read from 8278184c
Unable to read MiSystemVaType memory at 82760f00
 fffb8034 
 
FAULTING_IP: 
ATMFD+3407b
9486407b 394e34          cmp     dword ptr [esi+34h],ecx
 
MM_INTERNAL_CODE:  0
 
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
 
BUGCHECK_STR:  0x50
 
PROCESS_NAME:  csrss.exe
 
CURRENT_IRQL:  0
 
LAST_CONTROL_TRANSFER:  from 9485d5b5 to 9486407b
 
STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
879d7e38 9485d5b5 fba78880 fbbb6830 00000f5c ATMFD+0x3407b
879d8544 9485f6e0 fbad2c70 9486f028 879d8790 ATMFD+0x2d5b5
879d8600 948527ae fbad2c70 9486f028 879d8790 ATMFD+0x2f6e0
879d86ec 94852858 fbad2c70 879d8790 879d8814 ATMFD+0x227ae
879d8718 948432b2 fbad2c70 9486f028 879d8790 ATMFD+0x22858
879d887c 94843689 00000002 879d899c fbafaf58 ATMFD+0x132b2
879d88d0 9483406d 00000002 879d899c 00000000 ATMFD+0x13689
879d8924 9499dce2 ff7af010 fc01acf0 00000001 ATMFD+0x406d
879d896c 949867bb ff7af010 fc01acf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
879d89e0 949b14d7 ffa66130 ff646084 0000201c win32k!xInsertMetricsRFONTOBJ+0x9c
879d8a14 949b35b9 00000020 879d8bfc 879d8cac win32k!RFONTOBJ::bGetGlyphMetrics+0x131
879d8cb8 949c6644 10010188 00002020 00000040 win32k!GreGetCharABCWidthsW+0x147
879d8d14 82654896 10010188 00002000 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
879d8d14 776f70f4 10010188 00002000 00000040 nt!KiSystemServicePostCall
001bf3e4 00000000 00000000 00000000 00000000 0x776f70f4
---
 
Attached are further three samples together with corresponding crash log files, which reproduce the issue at the ATMFD+0x3407b location.
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37922.zip

#  0day.today [2024-11-15]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team