Microsoft Windows Kernel – ‘ATMFD.dll’ OTF Font Processing Stack Corruption (MS16-026)

• Exploit Database
• 16 阅读

• 作者： Google Security Research
  日期： 2016-03-14
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39561/

• Source: https://code.google.com/p/google-security-research/issues/detail?id=682
  
  We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file:
  
  ---
  DRIVER_OVERRAN_STACK_BUFFER (f7)
  A driver has overrun a stack-based buffer.This overrun could potentially
  allow a malicious user to gain control of this machine.
  DESCRIPTION
  A driver overran a stack-based buffer (or local variable) in a way that would
  have overwritten the function's return address and jumped back to an arbitrary
  address when the function returned.This is the classic "buffer overrun"
  hacking attack and the system has been brought down to prevent a malicious user
  from gaining complete control of it.
  Do a kb to get a stack backtrace -- the last routine on the stack before the
  buffer overrun handlers and bugcheck call is the one that overran its local
  variable(s).
  Arguments:
  Arg1: a6703535, Actual security check cookie from the stack
  Arg2: 98ee9e09, Expected security check cookie
  Arg3: 671161f6, Complement of the expected security check cookie
  Arg4: 00000000, zero
  
  Debugging Details:
  ------------------
  
  
  DEFAULT_BUCKET_ID:VERIFIER_ENABLED_VISTA_MINIDUMP
  
  SECURITY_COOKIE:Expected 98ee9e09 found a6703535
  
  CUSTOMER_CRASH_COUNT:1
  
  BUGCHECK_STR:0xF7
  
  PROCESS_NAME:csrss.exe
  
  CURRENT_IRQL:0
  
  ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
  
  LAST_CONTROL_TRANSFER:from 98ea5720 to 82725b84
  
  STACK_TEXT:
  a6723488 98ea5720 000000f7 a6703535 98ee9e09 nt!KeBugCheckEx+0x1e
  WARNING: Stack unwind information not available. Following frames may be wrong.
  a67234a8 98ec57f6 00000085 00400000 08680370 ATMFD+0x15720
  a672353c 98ec5b0e 00400000 a6723790 00400000 ATMFD+0x357f6
  a6723610 8297ef90 ff68a000 00000000 ff68a000 ATMFD+0x35b0e
  a6723624 99180853 3e9ca839 a6723734 98ec5063 nt!VerifierExFreePoolWithTag+0x30
  a6723638 00400000 a672364c a6723790 a6723868 win32k!VerifierEngFreeMem+0x5b
  a6723790 98e95328 98e953b4 98e953be 98e95442 0x400000
  a67237c8 00000000 00001f98 00000000 00000000 ATMFD+0x5328
  ---
  
  While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "CFF " table.
  
  The immediate reason of the bugcheck is a stack corruption detected by the stack cookie protection (/GS). The issue reproduces on Windows 7 and 8.1; other platforms were not tested. In our environment, it is sufficient to open the offending font in the default Windows Font Viewer to reproduce the crash, or even click on a folder icon containing the font in Windows Explorer.
  
  Attached is an archive with the proof-of-concept mutated OTF file, together with the original font used to generate it and a corresponding crash log from Windows 7 32-bit.
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39561.zip