The_Arhitect Posted June 13, 2012 Report Share Posted June 13, 2012 OpenType Font File Format DoS Exploit for Windows************************************************************************ OpenType font file format remote (client-side) DoS exploit for Windows By Oleksiuk Dmytro (aka Cr4sh) http://twitter.com/d_olex http://blog.cr4.sh mailto:cr4sh0@gmail.com************************************************************************INFO:Zero day vulnerability exists in kernel-mode library ATMFD.DLL, that using by OS for working with PostScript-based OpenType font files (.OTF)Vulnerable versions of Windows/ATMFD.DLL: all, x32 and x64.Opening malicious .OTF font file, that can be embedded in Microsoft Office document or web-page, causes a BSoD on NT 5.x (Windows XP, Server 2003) and 100% CPU overage on NT 6.x (Vista, 7, Server 2008).To trigger vulnerability -- double click on CFF_Type-1_0x0d_expl.otfThe point of vulnerability -- invalid decoding of 0x0d byte in the Type 2 Charstring Format Glyph, that drops ATMFD.DLL code into the infinite loop."good" glyph representation: [68]={ 95 112 99 65 61 vhcurveto endchar }Malicious glyph representation: [68]={ 95 112 99 65 reserved13 vhcurveto endchar }This vulnerability was found with MsFontsFuzz fuzzer, that can be downloaded on https://github.com/Cr4sh/MsFontsFuzzMore detailed vulnerability analysis can be found at http://blog.cr4.sh/2012/06/0day-windows.html (russian, use Google Translate).====POC====http://www.exploit-db.com/sploits/19089.rarSursa: OpenType Font File Format DoS Exploit for Windows Quote Link to comment Share on other sites More sharing options...
