Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 369 Windows Kernel ATMFD.DLL OTF font processing: pool-based buffer overflow with malformed GPOS table
Starred by 3 users Project Member Reported by mjurczyk@google.com, May 6 2015 Back to list
Status: Fixed
Owner:
Closed: Jul 2015
Cc:



Sign in to add a comment
We have encountered a number of Windows kernel crashes in an inlined memcpy() call in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as:

---
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fc43f000, memory referenced
Arg2: 00000001, value 0 = read operation, 1 = write operation
Arg3: 9267f7a7, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)

[...]

FAULTING_IP: 
ATMFD+f7a7
9267f7a7 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE:  0

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD6

PROCESS_NAME:  csrss.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 92680119 to 9267f7a7

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
89f8d718 92680119 00000000 00000000 008c784a ATMFD+0xf7a7
89f8d7d4 92680791 00000000 008c784a 00000398 ATMFD+0x10119
89f8d880 9267e3b8 00000000 89f8d8c0 1b93bfa1 ATMFD+0x10791
89f8d90c 92676e46 00000415 fbeb41a8 00000001 ATMFD+0xe3b8
89f8d988 92673c8e 00000000 00000000 8be40700 ATMFD+0x6e46
89f8da6c 92797a9a 00000004 fbe7cfc0 fc642ff8 ATMFD+0x3c8e
89f8dab4 927979ec 00000001 fbe7cfc0 fc642ff8 win32k!PDEVOBJ::LoadFontFile+0x3c
89f8daf4 9279742d ffa66130 00000019 fbe7cfc0 win32k!vLoadFontFileView+0x291
89f8db80 9278641f 89f8dc58 00000019 00000001 win32k!PUBLIC_PFTOBJ::bLoadFonts+0x209
89f8dbcc 92787403 89f8dc58 00000019 00000001 win32k!GreAddFontResourceWInternal+0xfb
89f8dd14 82674896 003be558 00000019 00000001 win32k!NtGdiAddFontResourceW+0x142
89f8dd14 77c370f4 003be558 00000019 00000001 nt!KiSystemServicePostCall
0025facc 00000000 00000000 00000000 00000000 0x77c370f4
---

The crashes always occur while trying to write outside of a dynamically allocated destination buffer, leading to a pool-based buffer overflow, potentially allowing for remote code execution in the context of the Windows kernel. While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "GPOS" table.

The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation in ATMFD.DLL or another location in kernel space, as caused by the corrupted pool state, depending on the specific testcase used.

Attached is an archive with three proof of concept font files together with corresponding kernel crash logs.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
 
poc.zip
60.0 KB Download
Project Member Comment 1 by mjurczyk@google.com, May 21 2015
Labels: Reported-2015-May-21
Project Member Comment 2 by mjurczyk@google.com, May 22 2015
Labels: MSRC-30288
Comment 3 by cevans@google.com, Jul 20 2015
Labels: -Restrict-View-Commit CVE-2015-2426 Fixed-2015-Jul-20
Status: Fixed
https://technet.microsoft.com/library/security/MS15-078

Apparent collision with "in the wild", also with another part of the HackingTeam dump:

https://github.com/vlad902/hacking-team-windows-kernel-lpe/blob/master/exploit/PIC/PIC.c
Comment 4 Deleted
Comment 5 Deleted
Sign in to add a comment