exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Oct 30, 2007
Authored by John Heasman | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - It is possible to cause the Java Virtual Machine to overwrite an arbitrary memory location with an arbitrary value (repeatedly and in a stable manner) when parsing a malformed TrueType font. JDK and JRE versions 5.0 Update 9 and below as well as SDK and JRE versions 1.4.2_14 and below are affected.

tags | advisory, java, arbitrary
SHA-256 | 0f0ebea1254e1ec07669df846e6a69c1b0b5d28d5ec47a79fc20ee4ef9e02c1b


Change Mirror Download
Note: This advisory should have been published several months ago;
apologies for the delay -- John Heasman

Name: Memory overwrites in JVM via malformed TrueType font
Release Date: 29 October 2007
Reference: NGS00419
Discover: John Heasman <john@ngssoftware.com>
Vendor: Sun Microsystems
Systems Affected: JDK and JRE 5.0 Update 9 and earlier, SDK and JRE
1.4.2_14 and earlier
Risk: High
Status: Published

Discovered: 20 September 2006
Released: 20 September 2006
Approved: 20 September 2006
Reported: 1 November 2006
Fixed: 15 August 2007
Published: 29 October 2007

It is possible to cause the Java Virtual Machine to overwrite an arbitrary
memory location with an arbitrary value (repeatedly and in a stable
manner) when parsing a malformed TrueType font.

Impact: By coercing a user to view a malicious web page, an attacker could
instantiate an applet that executes arbitrary native code inside the

Technical Details
>From http://en.wikipedia.org/wiki/TrueType:

"TrueType systems include a virtual machine that executes programs inside
the font, processing the "hints" of the glyphs. These distort the control
points which define the outline, with the intention that the rasterizer
produces fewer undesirable features on the glyph. Each glyph's hinting
program takes account of the size (in pixels) that the glyph is being
displayed at, as well as other less important factors of the display

Although incapable of receiving input and producing output as normally
understood in programming, the TrueType hinting language does offer the
other prerequisites of programming languages: conditional branching (IF
statements), looping an arbitrary number of times (FOR- and WHILE-type
statements), variables (although these are simply numbered slots in an
area of memory reserved by the font), and encapsulation of code into
functions. Special instructions called "delta hints" are the lowest level
control, moving a control point at just one pixel size."

There are two instructions for writing values to the Control Value Table
(CVT) which holds global variables that can be used by multiple glyphs.
One of these functions does not perform sufficient validation on the
supplied index. This allows a font to write a scaled value relative to
the base of the dynamically allocated CVT. The scaling factor is based on
the requested size of the font - setting this to 32 results in a factor of

In order to write to an arbitrary location the base of the CVT must first
be determined. The instruction to read from the CVT was also found not to
validate its index, so this can be used to read memory relative to the CVT
base. At an offset of -0x38 DWORDs there is a pointer to the end of the
CVT; this can be used to determine the CVT base. The end result is that an
arbitrary value can be written to an arbitrary value repeatedly. An
attacker can make use of the VM instructions to implement "pre-exploit"
logic that determines the browser, operating system and architecture
before deploying a chosen payload. This facilitates creation of a
cross-browser, cross-operating system, cross-architecture exploit.

Fix Information
This issue is addressed in the following releases (for Solaris, Linux, and

JDK and JRE 5.0 Update 10 or later
SDK and JRE 1.4.2_15 or later

Further information is available at:

NGSSoftware Insight Security Research
+44(0)208 401 0070


The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402
Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    5 Files
  • 29
    Sep 29th
    12 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By