-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://corelabs.coresecurity.com/ MS OpenType CFF Parsing Vulnerability 1. *Advisory Information* Title: MS OpenType CFF Parsing Vulnerability Advisory Id: CORE-2010-0624 Advisory URL: [http://www.coresecurity.com/content/ms-opentype-cff-parsing-vulnerability] Date published: 2010-10-12 Date of last update: 2010-10-08 Vendors contacted: Microsoft Release mode: Coordinated release 2. *Vulnerability Information* Class: Input validation error [CWE-20] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2010-2741 Bugtraq ID: N/A 3. *Vulnerability Description* While investigating the OpenType Compact Font Format vulnerability disclosed in MS10-037, Diego Juarez discovered another kernel bug in the parsing of OTF files. Loading a malformed OpenType font can cause the entire system to crash. The vulnerability could be used locally by attackers with access to an unprivileged account to elevate privileges to those of a System Adminsitrator. 4. *Vulnerable packages* . Windows XP . Windows 2003 5. *Non-vulnerable packages* . Windows Vista . Windows 2008 . Windows 7 6. *Vendor Information, Solutions and Workarounds* Microsoft has released security bulletin MS10-078 [http://go.microsoft.com/fwlink/?LinkId=201084] addressing this issue. 7. *Credits* This vulnerability was discovered and researched by Diego Juarez from Core Security Technologies. Publication was coordinated by Ivan Arce and Jorge Lucangeli Obes. 8. *Technical Description / Proof of Concept Code* The vulnerability occurs in the font cache. A well-formed font is loaded, and thus stored in the cache. Afterwards, the same font is reloaded, but with invalid 'offset' and 'length' fields for the 'head' table of the font. The 'offset' field is located at offset '0x64' in the file, and the 'length' field is located at offset '0x68'. A valid OpenType font: /----- 0000000 544f 4f54 0b00 8000 0300 3000 4643 2046 0000010 7009 ee89 0000 b004 0000 b800 4646 4d54 0000020 1fbf 9a8f 0000 8805 0000 1c00 4447 4645 0000030 2f00 0400 0000 6805 0000 2000 534f 322f 0000040 9755 6c5b 0000 2001 0000 6000 6d63 7061 0000050 ecff f903 0000 4403 0000 4a01 6568 6461 0000060 99ef c1cf 0000 bc00 0000 3600 6868 6165 ... - -----/ The same font, with invalid 'offset' and 'length' fields: /----- 0000000 544f 4f54 0b00 8000 0300 3000 4643 2046 0000010 7009 ee89 0000 b004 0000 b800 4646 4d54 0000020 1fbf 9a8f 0000 8805 0000 1c00 4447 4645 0000030 2f00 0400 0000 6805 0000 2000 534f 322f 0000040 9755 6c5b 0000 2001 0000 6000 6d63 7061 0000050 ecff f903 0000 4403 0000 4a01 6568 6461 0000060 99ef 00cf 00ff ffff ff00 3600 6868 6165 ... - -----/ 9. *Report Timeline* . 2010-06-28: Initial notification sent to MSRC, including proof-of-concept code to reproduce it. Publication date set to August 10, 2010. . 2010-06-29: MSRC acknowledges bug report. Case 10135 opened. . 2010-06-29: Core indicates that it has assigned id CORE-2010-0624 to this advisory. . 2010-07-12: Vendor confirms the vulnerability causes a Read Access Violation and will investigate further to discard the possibility of a Write AV. Vista and above are not affected. . 2010-07-22: Core ask for an update with the list of vulnerable platforms and confirmation that fixes for the bug will be release in August 2010. . 2010-07-23: Vendor replies with the list of vulnerable platforms, but requests to push the publication date forward due to the extensive variant investigation needed. . 2010-07-26: Core accepts postponing the publication date, but with a firm commitment for a future publication date, no later than October 2010. . 2010-07-26: Vendor replies with a commitment to release fixes on October 12th. . 2010-07-28: Core sets the publication date of the advisory to October 12th, and notes that this release date is final. . 2010-08-17: Core verifies the list of vulnerable platforms with MSRC. . 2010-08-17: MSRC replies with the final list of vulnerable platforms, and confirms the release date of the advisory to be October 12th. . 2010-09-15: MSRC updates the status of the case and confirms the acknowledgment for the vulnerability. . 2010-09-21: Core acknowledges the update and confirms the release date of the advisory. . 2010-09-24: Core requests a bulletin number for the fix, and asks if MSRC has already requested a CVE number for the vulnerability. . 2010-09-24: MSRC answers with the CVE number assigned to the vulnerability and the link that's going to point to the bulletin once it's released. . 2010-10-01: MSRC informs the tentative bulletin number for this vulnerability, and requests to review the advisory before it's published. . 2010-10-01: Core replies that the draft will be sent once the technical details are finished. . 2010-10-07: Core sends the draft advisory. . 2010-10-08: MSRC acknowledges the advisory text, and confirms that the vulnerability is locally exploitable. . 2010-10-12: Advisory CORE-2010-0624 is published. 10. *References* 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com/]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAky0jIYACgkQyNibggitWa2G7gCgndqT2EjZ7++mvRK6DzmKP4Rt tH0AoJ7mgNjoAdvCll0iRFI7QHRSG2wK =WNYa -----END PGP SIGNATURE-----