MS OpenType CFF Parsing Vulnerability

Advisory ID Internal
CORE-2010-0624

1. Advisory Information

Title: MS OpenType CFF Parsing Vulnerability
Advisory Id: CORE-2010-0624
Advisory URL: https://www.coresecurity.com/core-labs/advisories/ms-opentype-cff-parsing-vulnerability
Date published: 2010-10-12
Date of last update: 2010-10-08
Vendors contacted: Microsoft
Release mode: Coordinated release

2. Vulnerability Information

Class: Input validation error [CWE-20]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2010-2741
Bugtraq ID: N/A

3. Vulnerability Description

While investigating the OpenType Compact Font Format vulnerability disclosed in MS10-037, Diego Juarez discovered another kernel bug in the parsing of OTF files. Loading a malformed OpenType font can cause the entire system to crash. The vulnerability could be used locally by attackers with access to an unprivileged account to elevate privileges to those of a System Adminsitrator.

4. Vulnerable Packages

  • Windows XP
  • Windows 2003

5. Non-Vulnerable Packages

  • Windows Vista
  • Windows 2008
  • Windows 7

6. Vendor Information, Solutions and Workarounds

Microsoft has released security bulletin MS10-078 addressing this issue.

7. Credits

This vulnerability was discovered and researched by Diego Juarez from Core Security Technologies. Publication was coordinated by Iván Arce and Jorge Lucángeli Obes.

8. Technical Description / Proof of Concept Code

The vulnerability occurs in the font cache. A well-formed font is loaded, and thus stored in the cache. Afterwards, the same font is reloaded, but with invalid offset and length fields for the head table of the font. The offset field is located at offset 0x64 in the file, and the length field is located at offset 0x68. A valid OpenType font:

0000000 544f 4f54 0b00 8000 0300 3000 4643 2046 0000010 7009 ee89 0000 b004 0000 b800 4646 4d54 0000020 1fbf 9a8f 0000 8805 0000 1c00 4447 4645 0000030 2f00 0400 0000 6805 0000 2000 534f 322f 0000040 9755 6c5b 0000 2001 0000 6000 6d63 7061 0000050 ecff f903 0000 4403 0000 4a01 6568 6461 0000060 99ef c1cf 0000 bc00 0000 3600 6868 6165 ...

The same font, with invalid offset and length fields:

0000000 544f 4f54 0b00 8000 0300 3000 4643 2046 0000010 7009 ee89 0000 b004 0000 b800 4646 4d54 0000020 1fbf 9a8f 0000 8805 0000 1c00 4447 4645 0000030 2f00 0400 0000 6805 0000 2000 534f 322f 0000040 9755 6c5b 0000 2001 0000 6000 6d63 7061 0000050 ecff f903 0000 4403 0000 4a01 6568 6461 0000060 99ef 00cf 00ff ffff ff00 3600 6868 6165 ...

9. Report Timeline

  • 2010-06-28: Initial notification sent to MSRC, including proof-of-concept code to reproduce it. Publication date set to August 10, 2010.
  • 2010-06-29: MSRC acknowledges bug report. Case 10135 opened.
  • 2010-06-29: Core indicates that it has assigned id CORE-2010-0624 to this advisory.
  • 2010-07-12: Vendor confirms the vulnerability causes a Read Access Violation and will investigate further to discard the possibility of a Write AV. Vista and above are not affected.
  • 2010-07-22: Core ask for an update with the list of vulnerable platforms and confirmation that fixes for the bug will be release in August 2010.
  • 2010-07-23: Vendor replies with the list of vulnerable platforms, but requests to push the publication date forward due to the extensive variant investigation needed.
  • 2010-07-26: Core accepts postponing the publication date, but with a firm commitment for a future publication date, no later than October 2010.
  • 2010-07-26: Vendor replies with a commitment to release fixes on October 12th.
  • 2010-07-28: Core sets the publication date of the advisory to October 12th, and notes that this release date is final.
  • 2010-08-17: Core verifies the list of vulnerable platforms with MSRC.
  • 2010-08-17: MSRC replies with the final list of vulnerable platforms, and confirms the release date of the advisory to be October 12th.
  • 2010-09-15: MSRC updates the status of the case and confirms the acknowledgment for the vulnerability.
  • 2010-09-21: Core acknowledges the update and confirms the release date of the advisory.
  • 2010-09-24: Core requests a bulletin number for the fix, and asks if MSRC has already requested a CVE number for the vulnerability.
  • 2010-09-24: MSRC answers with the CVE number assigned to the vulnerability and the link that's going to point to the bulletin once it's released.
  • 2010-10-01: MSRC informs the tentative bulletin number for this vulnerability, and requests to review the advisory before it's published.
  • 2010-10-01: Core replies that the draft will be sent once the technical details are finished.
  • 2010-10-07: Core sends the draft advisory.
  • 2010-10-08: MSRC acknowledges the advisory text, and confirms that the vulnerability is locally exploitable.
  • 2010-10-12: Advisory CORE-2010-0624 is published.

10. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: https://www.coresecurity.com/core-labs.

11. About Core Security 

Core Security develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, Core Impact, is the most comprehensive product for performing enterprise security assurance testing. Core Impact evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. 

12. Disclaimer

The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team.