exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NGS00419.txt

NGS00419.txt
Posted Oct 30, 2007
Authored by John Heasman | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - It is possible to cause the Java Virtual Machine to overwrite an arbitrary memory location with an arbitrary value (repeatedly and in a stable manner) when parsing a malformed TrueType font. JDK and JRE versions 5.0 Update 9 and below as well as SDK and JRE versions 1.4.2_14 and below are affected.

tags | advisory, java, arbitrary
SHA-256 | 0f0ebea1254e1ec07669df846e6a69c1b0b5d28d5ec47a79fc20ee4ef9e02c1b

NGS00419.txt

Change Mirror Download
Note: This advisory should have been published several months ago;
apologies for the delay -- John Heasman

=======
Summary
=======
Name: Memory overwrites in JVM via malformed TrueType font
Release Date: 29 October 2007
Reference: NGS00419
Discover: John Heasman <john@ngssoftware.com>
Vendor: Sun Microsystems
Systems Affected: JDK and JRE 5.0 Update 9 and earlier, SDK and JRE
1.4.2_14 and earlier
Risk: High
Status: Published

========
TimeLine
========
Discovered: 20 September 2006
Released: 20 September 2006
Approved: 20 September 2006
Reported: 1 November 2006
Fixed: 15 August 2007
Published: 29 October 2007

===========
Description
===========
It is possible to cause the Java Virtual Machine to overwrite an arbitrary
memory location with an arbitrary value (repeatedly and in a stable
manner) when parsing a malformed TrueType font.

Impact: By coercing a user to view a malicious web page, an attacker could
instantiate an applet that executes arbitrary native code inside the
browser.


=================
Technical Details
=================
>From http://en.wikipedia.org/wiki/TrueType:

"TrueType systems include a virtual machine that executes programs inside
the font, processing the "hints" of the glyphs. These distort the control
points which define the outline, with the intention that the rasterizer
produces fewer undesirable features on the glyph. Each glyph's hinting
program takes account of the size (in pixels) that the glyph is being
displayed at, as well as other less important factors of the display
environment.

Although incapable of receiving input and producing output as normally
understood in programming, the TrueType hinting language does offer the
other prerequisites of programming languages: conditional branching (IF
statements), looping an arbitrary number of times (FOR- and WHILE-type
statements), variables (although these are simply numbered slots in an
area of memory reserved by the font), and encapsulation of code into
functions. Special instructions called "delta hints" are the lowest level
control, moving a control point at just one pixel size."

There are two instructions for writing values to the Control Value Table
(CVT) which holds global variables that can be used by multiple glyphs.
One of these functions does not perform sufficient validation on the
supplied index. This allows a font to write a scaled value relative to
the base of the dynamically allocated CVT. The scaling factor is based on
the requested size of the font - setting this to 32 results in a factor of
1.

In order to write to an arbitrary location the base of the CVT must first
be determined. The instruction to read from the CVT was also found not to
validate its index, so this can be used to read memory relative to the CVT
base. At an offset of -0x38 DWORDs there is a pointer to the end of the
CVT; this can be used to determine the CVT base. The end result is that an
arbitrary value can be written to an arbitrary value repeatedly. An
attacker can make use of the VM instructions to implement "pre-exploit"
logic that determines the browser, operating system and architecture
before deploying a chosen payload. This facilitates creation of a
cross-browser, cross-operating system, cross-architecture exploit.

===============
Fix Information
===============
This issue is addressed in the following releases (for Solaris, Linux, and
Windows):

JDK and JRE 5.0 Update 10 or later
SDK and JRE 1.4.2_15 or later

Further information is available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103024-1


NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close