search

AN-Master / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Windows Kernel ATMFD.DLL OTF font processing: pool-based buffer overflow with malformed GPOS table #369

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
We have encountered a number of Windows kernel crashes in an inlined memcpy() 
call in the ATMFD.DLL OpenType driver while processing corrupted OTF font 
files, such as:

---
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fc43f000, memory referenced
Arg2: 00000001, value 0 = read operation, 1 = write operation
Arg3: 9267f7a7, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)

[...]

FAULTING_IP: 
ATMFD+f7a7
9267f7a7 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE:  0

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD6

PROCESS_NAME:  csrss.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 92680119 to 9267f7a7

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
89f8d718 92680119 00000000 00000000 008c784a ATMFD+0xf7a7
89f8d7d4 92680791 00000000 008c784a 00000398 ATMFD+0x10119
89f8d880 9267e3b8 00000000 89f8d8c0 1b93bfa1 ATMFD+0x10791
89f8d90c 92676e46 00000415 fbeb41a8 00000001 ATMFD+0xe3b8
89f8d988 92673c8e 00000000 00000000 8be40700 ATMFD+0x6e46
89f8da6c 92797a9a 00000004 fbe7cfc0 fc642ff8 ATMFD+0x3c8e
89f8dab4 927979ec 00000001 fbe7cfc0 fc642ff8 win32k!PDEVOBJ::LoadFontFile+0x3c
89f8daf4 9279742d ffa66130 00000019 fbe7cfc0 win32k!vLoadFontFileView+0x291
89f8db80 9278641f 89f8dc58 00000019 00000001 
win32k!PUBLIC_PFTOBJ::bLoadFonts+0x209
89f8dbcc 92787403 89f8dc58 00000019 00000001 
win32k!GreAddFontResourceWInternal+0xfb
89f8dd14 82674896 003be558 00000019 00000001 win32k!NtGdiAddFontResourceW+0x142
89f8dd14 77c370f4 003be558 00000019 00000001 nt!KiSystemServicePostCall
0025facc 00000000 00000000 00000000 00000000 0x77c370f4

---

The crashes always occur while trying to write outside of a dynamically 
allocated destination buffer, leading to a pool-based buffer overflow, 
potentially allowing for remote code execution in the context of the Windows 
kernel. While we have not determined the specific root cause of the 
vulnerability, we have pinpointed the offending mutations to reside in the 
"GPOS" table.

The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with 
Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug 
is triggered), but it is also possible to observe a crash on a default Windows 
installation in ATMFD.DLL or another location in kernel space, as caused by the 
corrupted pool state, depending on the specific testcase used.

Attached is an archive with three proof of concept font files together with 
corresponding kernel crash logs.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 6 May 2015 at 2:34

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by mjurc...@google.com on 21 May 2015 at 12:48

GoogleCodeExporter commented 8 years ago

Original comment by mjurc...@google.com on 22 May 2015 at 10:06

GoogleCodeExporter commented 8 years ago 
https://technet.microsoft.com/library/security/MS15-078

Apparent collision with "in the wild", also with another part of the 
HackingTeam dump:

https://github.com/vlad902/hacking-team-windows-kernel-lpe/blob/master/exploit/P
IC/PIC.c

Original comment by cev...@google.com on 20 Jul 2015 at 9:54