[CORE-2010-0624] MS OpenType CFF Parsing Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  Core Security Technologies - CoreLabs Advisory
       http://corelabs.coresecurity.com/

MS OpenType CFF Parsing Vulnerability

1. Advisory Information

Title: MS OpenType CFF Parsing Vulnerability
Advisory Id: CORE-2010-0624
Advisory URL:
[http://www.coresecurity.com/content/ms-opentype-cff-parsing-vulnerability]
Date published: 2010-10-12
Date of last update: 2010-10-08
Vendors contacted: Microsoft
Release mode: Coordinated release

2. Vulnerability Information

Class: Input validation error [CWE-20]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2010-2741
Bugtraq ID: N/A

3. Vulnerability Description

While investigating the OpenType Compact Font Format vulnerability
disclosed in MS10-037, Diego Juarez discovered another kernel bug in the
parsing of OTF files. Loading a malformed OpenType font can cause the
entire system to crash. The vulnerability could be used locally by
attackers with access to an unprivileged account to elevate privileges
to those of a System Adminsitrator.

4. Vulnerable packages

   . Windows XP
   . Windows 2003

5. Non-vulnerable packages

   . Windows Vista
   . Windows 2008
   . Windows 7

6. Vendor Information, Solutions and Workarounds

Microsoft has released security bulletin MS10-078
[http://go.microsoft.com/fwlink/?LinkId=201084] addressing this issue.

7. Credits

This vulnerability was discovered and researched by Diego Juarez from
Core Security Technologies. Publication was coordinated by Ivan Arce and
Jorge Lucangeli Obes.

8. Technical Description / Proof of Concept Code

The vulnerability occurs in the font cache. A well-formed font is
loaded, and thus stored in the cache. Afterwards, the same font is
reloaded, but with invalid 'offset' and 'length' fields for the 'head'
table of the font. The 'offset' field is located at offset '0x64' in the
file, and the 'length' field is located at offset '0x68'. A valid
OpenType font:

/-----
0000000 544f 4f54 0b00 8000 0300 3000 4643 2046
0000010 7009 ee89 0000 b004 0000 b800 4646 4d54
0000020 1fbf 9a8f 0000 8805 0000 1c00 4447 4645
0000030 2f00 0400 0000 6805 0000 2000 534f 322f
0000040 9755 6c5b 0000 2001 0000 6000 6d63 7061
0000050 ecff f903 0000 4403 0000 4a01 6568 6461
0000060 99ef c1cf 0000 bc00 0000 3600 6868 6165
…

• -----/

The same font, with invalid 'offset' and 'length' fields:

/-----
0000000 544f 4f54 0b00 8000 0300 3000 4643 2046
0000010 7009 ee89 0000 b004 0000 b800 4646 4d54
0000020 1fbf 9a8f 0000 8805 0000 1c00 4447 4645
0000030 2f00 0400 0000 6805 0000 2000 534f 322f
0000040 9755 6c5b 0000 2001 0000 6000 6d63 7061
0000050 ecff f903 0000 4403 0000 4a01 6568 6461
0000060 99ef 00cf 00ff ffff ff00 3600 6868 6165
…

• -----/

9. Report Timeline

. 2010-06-28:
Initial notification sent to MSRC, including proof-of-concept code to
reproduce it. Publication date set to August 10, 2010.

. 2010-06-29:
MSRC acknowledges bug report. Case 10135 opened.

. 2010-06-29:
Core indicates that it has assigned id CORE-2010-0624 to this advisory.

. 2010-07-12:
Vendor confirms the vulnerability causes a Read Access Violation and
will investigate further to discard the possibility of a Write AV. Vista
and above are not affected.

. 2010-07-22:
Core ask for an update with the list of vulnerable platforms and
confirmation that fixes for the bug will be release in August 2010.

. 2010-07-23:
Vendor replies with the list of vulnerable platforms, but requests to
push the publication date forward due to the extensive variant
investigation needed.

. 2010-07-26:
Core accepts postponing the publication date, but with a firm commitment
for a future publication date, no later than October 2010.

. 2010-07-26:
Vendor replies with a commitment to release fixes on October 12th.

. 2010-07-28:
Core sets the publication date of the advisory to October 12th, and
notes that this release date is final.

. 2010-08-17:
Core verifies the list of vulnerable platforms with MSRC.

. 2010-08-17:
MSRC replies with the final list of vulnerable platforms, and confirms
the release date of the advisory to be October 12th.

. 2010-09-15:
MSRC updates the status of the case and confirms the acknowledgment for
the vulnerability.

. 2010-09-21:
Core acknowledges the update and confirms the release date of the
advisory.

. 2010-09-24:
Core requests a bulletin number for the fix, and asks if MSRC has
already requested a CVE number for the vulnerability.

. 2010-09-24:
MSRC answers with the CVE number assigned to the vulnerability and the
link that's going to point to the bulletin once it's released.

. 2010-10-01:
MSRC informs the tentative bulletin number for this vulnerability, and
requests to review the advisory before it's published.

. 2010-10-01:
Core replies that the draft will be sent once the technical details are
finished.

. 2010-10-07:
Core sends the draft advisory.

. 2010-10-08:
MSRC acknowledges the advisory text, and confirms that the vulnerability
is locally exploitable.

. 2010-10-12:
Advisory CORE-2010-0624 is published.

10. References

11. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
[http://corelabs.coresecurity.com/].

12. About Core Security Technologies

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
[http://www.coresecurity.com].

13. Disclaimer

The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]

14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAky0jIYACgkQyNibggitWa2G7gCgndqT2EjZ7++mvRK6DzmKP4Rt
tH0AoJ7mgNjoAdvCll0iRFI7QHRSG2wK
=WNYa
-----END PGP SIGNATURE-----