Microsoft Windows OpenType Font – File Format Denial of Service

• Exploit Database
• 18 阅读

• 作者： Cr4sh
  日期： 2012-06-12
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/19089/

• ************************************************************************
  
  OpenType font file format remote (client-side) DoS exploit for Windows
  
  By Oleksiuk Dmytro (aka Cr4sh)
  http://twitter.com/d_olex
  http://blog.cr4.sh
  mailto:cr4sh0@gmail.com
  
  ************************************************************************
  
  INFO:
  
  Zero day vulnerability exists in kernel-mode library ATMFD.DLL, that using by OS for working with PostScript-based OpenType font files (.OTF)
  
  Vulnerable versions of Windows/ATMFD.DLL: all, x32 and x64.
  
  Opening malicious .OTF font file, that can be embedded in Microsoft Office document or web-page, causes a BSoD on NT 5.x (Windows XP, Server 2003) and 100% CPU overage on NT 6.x (Vista, 7, Server 2008).
  
  To trigger vulnerability -- double click on CFF_Type-1_0x0d_expl.otf
  
  The point of vulnerability -- invalid decoding of 0x0d byte in the Type 2 Charstring Format Glyph, that drops ATMFD.DLL code into the infinite loop.
  
  "good" glyph representation:
  
  [68]={
  95 112 99 65 61 vhcurveto
  endchar
  }
  
  Malicious glyph representation:
  
  [68]={
  95 112 99 65 reserved13
  vhcurveto
  endchar
  }
  
  This vulnerability was found with MsFontsFuzz fuzzer, that can be downloaded on https://github.com/Cr4sh/MsFontsFuzz
  
  More detailed vulnerability analysis can be found at http://blog.cr4.sh/2012/06/0day-windows.html (russian, use Google Translate).
  
  ====
  POC
  ====
  
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19089.rar