Wednesday, October 13, 2010

Embedded Open Type (EOT) fonts remote code execution

There is a vulnerability in Microsoft Windows caused by incorrect processing of malformed Embedded Open Type (EOT) fonts. This vulnerability can be used to achieve remote code execution if a user views a web page containing a reference to a specially crafted font file.

EOT fonts

From Microsoft: Embedded OpenType (EOT) fonts are a compact form of fonts designed for use on Web pages. These fonts can be embedded in a document. This ensures that a user views the document exactly as the author intended.

Background

Eot format is basically a compressed true type font (TTF) file. The TTF file itself can be viewed as a collection of tables. The compression process first transforms some font tables into a different format, divides the file into chunks and than uses a variant of LZ compression to compress each chunk separately. Such obtained compressed data is added to the EOT header to form a .eot file.The decompression process first analyzes the eot header, splits the font data into chunks, decompresses each chunk and transforms some of the tables back into ttf format.More on the EOT format and the compression/decompression process can be found at the following links:

http://www.w3.org/Submission/EOT/
http://www.w3.org/Submission/2008/SUBM-MTX-20080305/

The vulnerability

The vulnerability is an integer overflow that can occur during the conversion of hdmx table from MicroType (compressed format used by EOT) back to the TrueType format. By exploiting this integer overflow the attacker can write arbitrary data to a memory location b+x, where b is the buffer location and x is (almost arbitrary) 32-bit number controlled by the attacker.

Impact

This vulnerability can be used to achieve remote code execution if a user views a web page containing a reference to a specially crafted font file.

PoC

Due to the spread and the impact of the vulnerability, exploiting details will not be released at this time.

References

http://www.microsoft.com/technet/security/bulletin/MS10-076.mspx
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1883