0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Microsoft Windows Kernel - win32k.sys TTF Font Processing Out-of-Bounds Read with Malformed Exploit
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1274 We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files: --- PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ff1effff, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: 91a65a52, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved) Debugging Details: ------------------ FAULTING_IP: win32k!fsc_CalcGrayRow+87 91a65a52 660fbe4fff movsx cx,byte ptr [edi-1] MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: csrss.exe CURRENT_IRQL: 0 ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 91a65990 to 91a65a52 STACK_TEXT: 981a885c 91a65990 ff1f83f8 ff1f8140 ff1f83a8 win32k!fsc_CalcGrayRow+0x87 981a88a0 919e26ac 00000008 ff1f8010 fbb36e78 win32k!fsc_CalcGrayMap+0x105 981a88e8 91b69e1a ff1f8010 ff1f807c 00000005 win32k!fs_ContourScan+0x582 981a89f4 91b69ef2 00000000 00000005 981a8b08 win32k!lGGOBitmap+0x15f 981a8a1c 919dd4f0 fbb36e78 00000005 981a8b08 win32k!ttfdGlyphBitmap+0x60 981a8a40 919dd386 fc23ccf0 00000009 00000005 win32k!ttfdQueryFontData+0x115 981a8a90 919dc5b2 00000000 fc23ccf0 00000009 win32k!ttfdSemQueryFontData+0x45 981a8ad8 91b351b4 00000000 fc23ccf0 00000009 win32k!PDEVOBJ::QueryFontData+0x3e 981a8b90 91b2cd60 fc23ccf0 fc23ccf0 00000006 win32k!GreGetGlyphOutlineInternal+0x534 981a8c0c 8288587a 04010215 00000022 00000006 win32k!NtGdiGetGlyphOutline+0x95 981a8c0c 76f370b4 04010215 00000022 00000006 nt!KiFastCallEntry+0x12a WARNING: Frame IP not in any known module. Following frames may be wrong. 0020f504 00000000 00000000 00000000 00000000 0x76f370b4 --- The above crash dump comes from an old version of Windows 7 32-bit, because symbols for win32k.sys on the latest build are currently unavailable on the Microsoft Symbol Server. Nevertheless, a crash summary from an up-to-date system is as follows: --- cut --- PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ff1e3fff, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: 91ce9382, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved) Debugging Details: ------------------ FAULTING_IP: win32k!EngDeleteClip+4883 91ce9382 660fbe4fff movsx cx,byte ptr [edi-1] MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: csrss.exe CURRENT_IRQL: 0 ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 91ce92c0 to 91ce9382 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 9aa98858 91ce92c0 ff1ee3f8 ff1ee140 ff1ee3a8 win32k!EngDeleteClip+0x4883 9aa9889c 91c64346 00000008 ff1ee010 fb9dce78 win32k!EngDeleteClip+0x47c1 9aa988e4 91dfa025 ff1ee010 ff1ee07c 00000005 win32k!XFORMOBJ_iGetXform+0x5864 9aa989f0 91dfa0fd 00000000 00000005 9aa98b04 win32k!XLATEOBJ_hGetColorTransform+0x40a1c 9aa98a18 91c5f086 fb9dce78 00000005 9aa98b04 win32k!XLATEOBJ_hGetColorTransform+0x40af4 9aa98a3c 91c5ef1c fc22ccf0 00000009 00000005 win32k!XFORMOBJ_iGetXform+0x5a4 9aa98a8c 91c5e138 00000000 fc22ccf0 00000009 win32k!XFORMOBJ_iGetXform+0x43a 9aa98ad4 91dc3424 00000000 fc22ccf0 00000009 win32k!EngCTGetGammaTable+0xc967 9aa98b90 91dbafcc fc22ccf0 fc22ccf0 00000006 win32k!XLATEOBJ_hGetColorTransform+0x9e1b 9aa98c0c 82888986 0c0104d1 00000022 00000006 win32k!XLATEOBJ_hGetColorTransform+0x19c3 9aa98c0c 77986c74 0c0104d1 00000022 00000006 nt!KiSystemServicePostCall 001cf4ac 00000000 00000000 00000000 00000000 0x77986c74 --- cut --- While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "glyf" table. The issue reproduces on Windows 7 (other platforms untested). It is easiest to reproduce with Special Pools enabled for win32k.sys. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which calls the GetGlyphOutline() API with various parameters over all of the font's glyphs. Attached is an archive with several proof-of-concept mutated TTF files. # 0day.today [2024-12-25] #