Wednesday, October 13, 2010

Embedded Open Type (EOT) fonts remote code execution

There is a vulnerability in Microsoft Windows caused by incorrect processing of malformed Embedded Open Type (EOT) fonts. This vulnerability can be used to achieve remote code execution if a user views a web page containing a reference to a specially crafted font file.

EOT fonts

From Microsoft: Embedded OpenType (EOT) fonts are a compact form of fonts designed for use on Web pages. These fonts can be embedded in a document. This ensures that a user views the document exactly as the author intended.

Background

Eot format is basically a compressed true type font (TTF) file. The TTF file itself can be viewed as a collection of tables. The compression process first transforms some font tables into a different format, divides the file into chunks and than uses a variant of LZ compression to compress each chunk separately. Such obtained compressed data is added to the EOT header to form a .eot file.The decompression process first analyzes the eot header, splits the font data into chunks, decompresses each chunk and transforms some of the tables back into ttf format.More on the EOT format and the compression/decompression process can be found at the following links:

http://www.w3.org/Submission/EOT/
http://www.w3.org/Submission/2008/SUBM-MTX-20080305/

The vulnerability

The vulnerability is an integer overflow that can occur during the conversion of hdmx table from MicroType (compressed format used by EOT) back to the TrueType format. By exploiting this integer overflow the attacker can write arbitrary data to a memory location b+x, where b is the buffer location and x is (almost arbitrary) 32-bit number controlled by the attacker.

Impact

This vulnerability can be used to achieve remote code execution if a user views a web page containing a reference to a specially crafted font file.

PoC

Due to the spread and the impact of the vulnerability, exploiting details will not be released at this time.

References

http://www.microsoft.com/technet/security/bulletin/MS10-076.mspx
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1883

8 comments:

aliyaa said...

Well thought content impressed me! I am glad to check out sharing information and accordingly meet with the demands. secondary data analysis

Majestic Hair And Skin Clinic said...

Viroclear 400mg
Sofosbuvir 400mg
Hepcinat 400mg
Myhep 400mg
Sofovir 400mg
Sovihep 400mg
Resof 400mg
Viroclear 400mg

Anonymous said...

mostly solution
mostly solution
mostly solution
mostly solution
mostly solution
mostly solution

Anonymous said...

mostly solution
mostly solution
mostly solution
mostly solution
mostly solution
mostly solution

bestpressurecooker said...

loads the script file and executes the main function. best induction cooktop

Unknown said...

sad shayari ( Groarz branding solutions )

John said...

نجار ابواب بالرياض نجار بالرياض
تركيب ستائر بالرياض شركة تركيب ستائر بالرياض
تنظيف مكيفات بالرياض شركة تنظيف مكيفات بالرياض ماکان باند

محسن ابراهیم زاده

شركة تنظيف افران الغاز بالرياض شركة تنظيف افران بالرياض

Geek Info said...

LIC JEEVAN

BATHROOM NEAR ME

LAPTOP INSURANCE

OTHER ONLINE FREE

VOTER ID

VOTER CARD AADHAR CARD

DUPLICATE VOTER ID

SBI BALANCE ENQUIRY