Windows Embedded Open Type (EOT) Font Heap Overflow
------------------------------------------------------------------------
SUMMARY
Microsoft Embedded OpenType Font Engine "t2embed" is "designed to create
the ability of using specific fonts that might not be available on your
local system".
A vulnerability in the way that Windows uncompresses Embedded Open Type
fonts allow the author of a malicious web page to execute arbitrary code
on the system of a user who visits the site, at the privilege level of
that user.
DETAILS
Vulnerable Systems:
* Windows ME
* Windows 98
* Windows NT
* Windows 2000
* Windows XP SP1
* Windows XP SP2
* Windows Server 2003
* Windows Server 2003SP1
Embedded Open Type fonts are referenced through the use of style data, as
the following snippet illustrates:
@font-face {
font-family: Abysmal;
font-style: normal;
font-weight: normal;
src: url(evil.eot);
Although these fonts typically have .eot file extensions, it should be
noted that any extension may be used in order to exploit this
vulnerability.
A heap overflow vulnerability exists in T2EMBED.DLL, which Internet
Explorer invokes to process EOT fonts. The data within an EOT file is
compressed in Agfa MicroType Express format, which hosts an LZ-compressed
stream that includes a 24-bit allocation size. This size + 1C00h is
allocated within the function MTX_LZCOMP_UnPackMemory, but the resulting
allocation size is not validated before data is copied into the block,
allowing a malformed EOT file to cause an essentially arbitrary-length
heap buffer overflow with binary data.
When Microsoft Embedded OpenType Font Engine is parsing a .EOT file, it
allocates the heap memory block with size calculated from the .EOT file.
Note: all the "values" came from special case of a POC code
text:73C993EA call _MTX_BITIO_ReadValue@8 ; MTX_BITIO_ReadValue(x,x)
text:73C993EF mov [esi+FONT_STRUCT.mem_size], eax
The _MTX_BITIO_ReadValue@8 (in this case) loops 18 times the following
code:
text:73C9BBF8 give_input_bit: ; CODE XREF: MTX_BITIO_ReadValue(x,x)+24#j
text:73C9BBF8 push [esp+8+arg_0]
text:73C9BBFC shl esi, 1 ; (*)
text:73C9BBFE call _MTX_BITIO_input_bit@4 ; MTX_BITIO_input_bit(x)
text:73C9BC03 test ax, ax
text:73C9BC06 jz short max_io_ret_0
text:73C9BC08 or esi, 1 ; (*)
Note the bit operations on ESI register marked as (*), first one simply
multiples the value stored in ESI register with 2^1. The second one powers
on the LSB (Less Significant Bit).
The _MTX_BITIO_input_bit@4 (in this case) does the following:
text:73C9BA53 mov eax, [esp+read_io] ; some struct ptr
text:73C9BA57 xor ecx, ecx ; ECX = 0
text:73C9BA59 mov cx, [eax+read_io.size?] ; CX = 7 (counter)
text:73C9BA5D test cx, cx ; is it 0?
text:73C9BA60 lea edx, [ecx-1] ; EDX = 6
text:73C9BA63 mov [eax+read_io.size?], dx ; read_io.size? - 1
text:73C9BA67 jnz short _MTX_BITIO_end ; until != 0 => take the jump
text:73C9BA69 mov ecx, [eax+read_io.licznik_do_fdata] ; ecx = 1
text:73C9BA6C mov edx, [eax] ; EDX = ptr to font data
text:73C9BA6E movzx dx, byte ptr [ecx+edx] ; give on byte from [ecx+edx]
text:73C9BA73 inc ecx ; ECX++
text:73C9BA74 cmp ecx, [eax+8] ; is ECX == 0x3B8 ?
text:73C9BA77 mov [eax+read_io.zwracana], dx ; set the return value
text:73C9BA7B mov [eax+read_io.licznik_do_fdata], ecx ; store the counter
text:73C9BA7E jle short loc_73C9BA91
...
text:73C9BA91 loc_73C9BA91: ; CODE XREF: MTX_BITIO_input_bit(x)+2B#j
text:73C9BA91 inc dword ptr [eax+10h]
text:73C9BA94 mov [eax+read_io.size?], 7 ; reset the io size to 7
text:73C9BA9A
text:73C9BA9A _MTX_BITIO_end: ; CODE XREF: MTX_BITIO_input_bit(x)+14#j
text:73C9BA9A shl [eax+read_io.zwracana], 1 ; multiple via 2 ->
{100,200,...}
text:73C9BA9E movzx eax, [eax+read_io.zwracana] ; eax = what we will
return
text:73C9BAA2 and ax, 100h ; and the bits, the return values are {0,100h}
text:73C9BAA6 retn 4
The read bytes (read from .EOT data file), of course the .EOT data was
firstly xored by the engine, like the code here shows:
text:73C770AD loc_73C770AD: ; CODE XREF: sub_73C770A1+16#j
text:73C770AD xor dword ptr [edx+ecx*4], 50505050h
text:73C770B4 inc ecx
text:73C770B5 cmp ecx, eax
text:73C770B7 jb short loc_73C770AD
The end of _MTX_BITIO_ReadValue@8 comes with following code:
text:73C9BC0B max_io_ret_0: ; CODE XREF: MTX_BITIO_ReadValue(x,x)+1E#j
text:73C9BC0B dec edi ; if AX was 0
text:73C9BC0C jnz short give_input_bit ; until != 0, repeat
text:73C9BC0E pop edi
text:73C9BC0F
text:73C9BC0F loc_73C9BC0F: ; CODE XREF: MTX_BITIO_ReadValue(x,x)+A#j
text:73C9BC0F mov eax, esi ; return value is computed from ESI!!!
text:73C9BC11 pop esi ;
text:73C9BC12 retn 8
The returned mem_size is then used with creating the heap memory block:
text:73C993FB mov eax, [esi+FONT_STRUCT.mem_size]
text:73C99401 add eax, 1C00h
...
text:73C99410 push eax ; *our mem_size value + 1c00h*
text:73C99411 push dword ptr [esi+5Ch]
text:73C99414 call _MTX_mem_malloc@8 ; MTX_mem_malloc(x,x)
By looking the Microsoft Embedded OpenType Font Engine heap allocations we
have:
K: 23 -> [*] HeapAlloc(0x150000,0x8,0x2139(8505))=0x154820 end at:
0x156959 (*)
K: 24 -> [*] HeapAlloc(0x150000,0x8,0x2C(44))=0x156978 end at: 0x1569A4
K: 25 -> [*] HeapAlloc(0x150000,0x8,0x246(582))=0x1569C0 end at: 0x156C06
(O)
K: 26 -> [*] HeapAlloc(0x150000,0x8,0x1B48(6984))=0x156C28 end at:
0x158770 (C)
K: 27 -> [*] HeapAlloc(0x150000,0x8,0x539(1337))=0x158790 end at: 0x158CC9
(*)
First one is computed together with adding 1c00h value, the last one is
plain mem_size (1337). Such "faking" mem_size value has bad it influence
of future EOT file decompression. While the data unpacking in the routine
stored at 73C98E9Fh, the memory block marked as "O" is overwritten, and
the block marked as "C" is corrupted. The block corruption is done here:
text:73C98FBB mov al, [eax+esi] ; read byte from other heap block
text:73C98FBE inc [ebp+var_14]
text:73C98FC1 cmp [ebp+var_1C], 0
text:73C98FC5 mov byte ptr [ebp+var_C], al
text:73C98FC8 mov [ebx+ecx], al ; STORE !!!
This gives an heap overflow condition, illustrated here:
77F83905 8901 MOV DWORD PTR DS:[ECX],EAX ; EAX = 0D100C10h
77F83907 8948 04 MOV DWORD PTR DS:[EAX+4],ECX ; EBX = 0F100E10h
The vulnerability may lead to remote code execution when specially crafted
file is being parsed, however the exploitation is _hard_ due to the fact
attacker doesn't control directly the data which will overwrite the heap
block. However, it doesn't mean it can't be done.
CVE Information:
< http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0010>
CVE-2006-0010
ADDITIONAL INFORMATION
The information has been provided by < mailto:Advisories@xxxxxxxx> eEye
and < mailto:bania.piotr@xxxxxxxxx> Piotr Bania.
The original article can be found at:
< http://eeye.com/html/research/advisories/AD20060110.html>
http://eeye.com/html/research/advisories/AD20060110.html,
< http://www.piotrbania.com/all/adv/MS06-002-adv.txt>
http://www.piotrbania.com/all/adv/MS06-002-adv.txt
------------------------------------------------------------------------
SUMMARY
Microsoft Embedded OpenType Font Engine "t2embed" is "designed to create
the ability of using specific fonts that might not be available on your
local system".
A vulnerability in the way that Windows uncompresses Embedded Open Type
fonts allow the author of a malicious web page to execute arbitrary code
on the system of a user who visits the site, at the privilege level of
that user.
DETAILS
Vulnerable Systems:
* Windows ME
* Windows 98
* Windows NT
* Windows 2000
* Windows XP SP1
* Windows XP SP2
* Windows Server 2003
* Windows Server 2003SP1
Embedded Open Type fonts are referenced through the use of style data, as
the following snippet illustrates:
@font-face {
font-family: Abysmal;
font-style: normal;
font-weight: normal;
src: url(evil.eot);
Although these fonts typically have .eot file extensions, it should be
noted that any extension may be used in order to exploit this
vulnerability.
A heap overflow vulnerability exists in T2EMBED.DLL, which Internet
Explorer invokes to process EOT fonts. The data within an EOT file is
compressed in Agfa MicroType Express format, which hosts an LZ-compressed
stream that includes a 24-bit allocation size. This size + 1C00h is
allocated within the function MTX_LZCOMP_UnPackMemory, but the resulting
allocation size is not validated before data is copied into the block,
allowing a malformed EOT file to cause an essentially arbitrary-length
heap buffer overflow with binary data.
When Microsoft Embedded OpenType Font Engine is parsing a .EOT file, it
allocates the heap memory block with size calculated from the .EOT file.
Note: all the "values" came from special case of a POC code
text:73C993EA call _MTX_BITIO_ReadValue@8 ; MTX_BITIO_ReadValue(x,x)
text:73C993EF mov [esi+FONT_STRUCT.mem_size], eax
The _MTX_BITIO_ReadValue@8 (in this case) loops 18 times the following
code:
text:73C9BBF8 give_input_bit: ; CODE XREF: MTX_BITIO_ReadValue(x,x)+24#j
text:73C9BBF8 push [esp+8+arg_0]
text:73C9BBFC shl esi, 1 ; (*)
text:73C9BBFE call _MTX_BITIO_input_bit@4 ; MTX_BITIO_input_bit(x)
text:73C9BC03 test ax, ax
text:73C9BC06 jz short max_io_ret_0
text:73C9BC08 or esi, 1 ; (*)
Note the bit operations on ESI register marked as (*), first one simply
multiples the value stored in ESI register with 2^1. The second one powers
on the LSB (Less Significant Bit).
The _MTX_BITIO_input_bit@4 (in this case) does the following:
text:73C9BA53 mov eax, [esp+read_io] ; some struct ptr
text:73C9BA57 xor ecx, ecx ; ECX = 0
text:73C9BA59 mov cx, [eax+read_io.size?] ; CX = 7 (counter)
text:73C9BA5D test cx, cx ; is it 0?
text:73C9BA60 lea edx, [ecx-1] ; EDX = 6
text:73C9BA63 mov [eax+read_io.size?], dx ; read_io.size? - 1
text:73C9BA67 jnz short _MTX_BITIO_end ; until != 0 => take the jump
text:73C9BA69 mov ecx, [eax+read_io.licznik_do_fdata] ; ecx = 1
text:73C9BA6C mov edx, [eax] ; EDX = ptr to font data
text:73C9BA6E movzx dx, byte ptr [ecx+edx] ; give on byte from [ecx+edx]
text:73C9BA73 inc ecx ; ECX++
text:73C9BA74 cmp ecx, [eax+8] ; is ECX == 0x3B8 ?
text:73C9BA77 mov [eax+read_io.zwracana], dx ; set the return value
text:73C9BA7B mov [eax+read_io.licznik_do_fdata], ecx ; store the counter
text:73C9BA7E jle short loc_73C9BA91
...
text:73C9BA91 loc_73C9BA91: ; CODE XREF: MTX_BITIO_input_bit(x)+2B#j
text:73C9BA91 inc dword ptr [eax+10h]
text:73C9BA94 mov [eax+read_io.size?], 7 ; reset the io size to 7
text:73C9BA9A
text:73C9BA9A _MTX_BITIO_end: ; CODE XREF: MTX_BITIO_input_bit(x)+14#j
text:73C9BA9A shl [eax+read_io.zwracana], 1 ; multiple via 2 ->
{100,200,...}
text:73C9BA9E movzx eax, [eax+read_io.zwracana] ; eax = what we will
return
text:73C9BAA2 and ax, 100h ; and the bits, the return values are {0,100h}
text:73C9BAA6 retn 4
The read bytes (read from .EOT data file), of course the .EOT data was
firstly xored by the engine, like the code here shows:
text:73C770AD loc_73C770AD: ; CODE XREF: sub_73C770A1+16#j
text:73C770AD xor dword ptr [edx+ecx*4], 50505050h
text:73C770B4 inc ecx
text:73C770B5 cmp ecx, eax
text:73C770B7 jb short loc_73C770AD
The end of _MTX_BITIO_ReadValue@8 comes with following code:
text:73C9BC0B max_io_ret_0: ; CODE XREF: MTX_BITIO_ReadValue(x,x)+1E#j
text:73C9BC0B dec edi ; if AX was 0
text:73C9BC0C jnz short give_input_bit ; until != 0, repeat
text:73C9BC0E pop edi
text:73C9BC0F
text:73C9BC0F loc_73C9BC0F: ; CODE XREF: MTX_BITIO_ReadValue(x,x)+A#j
text:73C9BC0F mov eax, esi ; return value is computed from ESI!!!
text:73C9BC11 pop esi ;
text:73C9BC12 retn 8
The returned mem_size is then used with creating the heap memory block:
text:73C993FB mov eax, [esi+FONT_STRUCT.mem_size]
text:73C99401 add eax, 1C00h
...
text:73C99410 push eax ; *our mem_size value + 1c00h*
text:73C99411 push dword ptr [esi+5Ch]
text:73C99414 call _MTX_mem_malloc@8 ; MTX_mem_malloc(x,x)
By looking the Microsoft Embedded OpenType Font Engine heap allocations we
have:
K: 23 -> [*] HeapAlloc(0x150000,0x8,0x2139(8505))=0x154820 end at:
0x156959 (*)
K: 24 -> [*] HeapAlloc(0x150000,0x8,0x2C(44))=0x156978 end at: 0x1569A4
K: 25 -> [*] HeapAlloc(0x150000,0x8,0x246(582))=0x1569C0 end at: 0x156C06
(O)
K: 26 -> [*] HeapAlloc(0x150000,0x8,0x1B48(6984))=0x156C28 end at:
0x158770 (C)
K: 27 -> [*] HeapAlloc(0x150000,0x8,0x539(1337))=0x158790 end at: 0x158CC9
(*)
First one is computed together with adding 1c00h value, the last one is
plain mem_size (1337). Such "faking" mem_size value has bad it influence
of future EOT file decompression. While the data unpacking in the routine
stored at 73C98E9Fh, the memory block marked as "O" is overwritten, and
the block marked as "C" is corrupted. The block corruption is done here:
text:73C98FBB mov al, [eax+esi] ; read byte from other heap block
text:73C98FBE inc [ebp+var_14]
text:73C98FC1 cmp [ebp+var_1C], 0
text:73C98FC5 mov byte ptr [ebp+var_C], al
text:73C98FC8 mov [ebx+ecx], al ; STORE !!!
This gives an heap overflow condition, illustrated here:
77F83905 8901 MOV DWORD PTR DS:[ECX],EAX ; EAX = 0D100C10h
77F83907 8948 04 MOV DWORD PTR DS:[EAX+4],ECX ; EBX = 0F100E10h
The vulnerability may lead to remote code execution when specially crafted
file is being parsed, however the exploitation is _hard_ due to the fact
attacker doesn't control directly the data which will overwrite the heap
block. However, it doesn't mean it can't be done.
CVE Information:
< http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0010>
CVE-2006-0010
ADDITIONAL INFORMATION
The information has been provided by < mailto:Advisories@xxxxxxxx> eEye
and < mailto:bania.piotr@xxxxxxxxx> Piotr Bania.
The original article can be found at:
< http://eeye.com/html/research/advisories/AD20060110.html>
http://eeye.com/html/research/advisories/AD20060110.html,
< http://www.piotrbania.com/all/adv/MS06-002-adv.txt>
http://www.piotrbania.com/all/adv/MS06-002-adv.txt
4446
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
