Die siberas GmbH ein auf Sicherheitsanalysen und Penetrationstests spezialisiertes Beratungsunternehmen, welches Sie herstellerunabhängig und kompetent im Bereich IT-Sicherheit berät.


Microsoft OpenType Font Parsing Kernel Heap Overflow Vulnerability

Reference ID: SSA-1020
Publication date: 12.10.2010
Severity: high
Discovered by: Sebastian Apelt

Affected versions: please check the Microsoft advisory for affected OS versions

The vulnerability allows for local privilege escalation due to an error in the .otf parsing code. Since parsing is performed in the kernel library atmfd.dll code execution in ring0 can possibly be achieved. To exploit this vulnerability a manipulated .otf file has to be opened or one of the GDI32 API functions AddFontResource(Ex)(A/W) has to be called directly. The specific flaw exists in a routine which is meant to extract unicode strings from the .otf ‘name’ table. A WORD value is read from the .otf user input and used as the length for a string in the name table. The string is then copied to a heap buffer in a loop with following pseudo-code:

copySize = [controlled WORD value];
while(copySize != NULL)
{ copy 2 bytes to heap buffer; copySize -= 2; }

If an uneven value is given in the .otf file we will never hit the loop’s exit condition copySize == NULL. This will lead to an unbounded copy operation resulting in a heap overflow.

Note: It might be possible that 3rd party products use the userland font-API GDI32.AddFontResource(Ex)(A/W) for OpenType font files. This could potentially lead to remote exploitation vectors! So far, no remote vectors could be found for IE and MS Word. However, this has NOT been tested extensively!

Microsoft Security Advisory MS10-078