Note: This advisory should have been published several months ago; apologies for the delay -- John Heasman ======= Summary ======= Name: Memory overwrites in JVM via malformed TrueType font Release Date: 29 October 2007 Reference: NGS00419 Discover: John Heasman Vendor: Sun Microsystems Systems Affected: JDK and JRE 5.0 Update 9 and earlier, SDK and JRE 1.4.2_14 and earlier Risk: High Status: Published ======== TimeLine ======== Discovered: 20 September 2006 Released: 20 September 2006 Approved: 20 September 2006 Reported: 1 November 2006 Fixed: 15 August 2007 Published: 29 October 2007 =========== Description =========== It is possible to cause the Java Virtual Machine to overwrite an arbitrary memory location with an arbitrary value (repeatedly and in a stable manner) when parsing a malformed TrueType font. Impact: By coercing a user to view a malicious web page, an attacker could instantiate an applet that executes arbitrary native code inside the browser. ================= Technical Details ================= >From http://en.wikipedia.org/wiki/TrueType: "TrueType systems include a virtual machine that executes programs inside the font, processing the "hints" of the glyphs. These distort the control points which define the outline, with the intention that the rasterizer produces fewer undesirable features on the glyph. Each glyph's hinting program takes account of the size (in pixels) that the glyph is being displayed at, as well as other less important factors of the display environment. Although incapable of receiving input and producing output as normally understood in programming, the TrueType hinting language does offer the other prerequisites of programming languages: conditional branching (IF statements), looping an arbitrary number of times (FOR- and WHILE-type statements), variables (although these are simply numbered slots in an area of memory reserved by the font), and encapsulation of code into functions. Special instructions called "delta hints" are the lowest level control, moving a control point at just one pixel size." There are two instructions for writing values to the Control Value Table (CVT) which holds global variables that can be used by multiple glyphs. One of these functions does not perform sufficient validation on the supplied index. This allows a font to write a scaled value relative to the base of the dynamically allocated CVT. The scaling factor is based on the requested size of the font - setting this to 32 results in a factor of 1. In order to write to an arbitrary location the base of the CVT must first be determined. The instruction to read from the CVT was also found not to validate its index, so this can be used to read memory relative to the CVT base. At an offset of -0x38 DWORDs there is a pointer to the end of the CVT; this can be used to determine the CVT base. The end result is that an arbitrary value can be written to an arbitrary value repeatedly. An attacker can make use of the VM instructions to implement "pre-exploit" logic that determines the browser, operating system and architecture before deploying a chosen payload. This facilitates creation of a cross-browser, cross-operating system, cross-architecture exploit. =============== Fix Information =============== This issue is addressed in the following releases (for Solaris, Linux, and Windows): JDK and JRE 5.0 Update 10 or later SDK and JRE 1.4.2_15 or later Further information is available at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103024-1 NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070 -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402