Microsoft Windows TrueType Font Parsing Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	08/06/2010
Severity:	Medium
Operating Systems Affected:	Windows 2000 SP 4 Windows XP SP 2 Windows XP SP 3 Windows XP Professional x64 Edition SP 2 Windows Server 2003 SP 2 Windows Server 2003 x64 Edition SP 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista SP 1 Windows Vista SP 2 Windows Vista x64 Edition SP 1 Windows Vista x64 Edition SP 2 Windows Server 2008 for 32-bit Systems Windows Server 2008 for 32-bit Systems SP 2 Windows Server 2008 for x64-based Systems Windows Server 2008 for x64-based Systems SP 2 Windows Server 2008 for Itanium-based Systems Windows Server 2008 for Itanium-based Systems SP 2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems
Identifiers:	CVE-2010-1255

Synopsis

Microsoft Windows True Type Font technology could allow elevation of privilege due to insufficient buffer space validation. Successfull exploitation of this vulnerability can lead remote attackers to execute arbitrary code in kernel mode.

Recommended Actions

Please refer following link provided by Microsoft to apply the appropriate
patches:
http://www.microsoft.com/technet/security/Bulletin/MS10-032.mspx

Threat Analysis

The TrueType font technology consists of two parts: the description of the fonts themselves (the TrueType font files) and a program that reads the font description and generates a bitmap representation of the font (the TrueType rasterizer). The TrueType rasterizer is a computer program that is incorporated as part of the operating system.

There is a remote unauthenticated vulnerability in win32k.sys where it may lead to code execution in ring0 context. The vulnerability occurs due to a usermode routine requesting the kernel to allocate X bytes and then copy data to it. When the kernel copies data to this buffer, it does not validate whether the operation will overflow the buffer.

More specifically, the vulnerability starts out in win32k!NtGdiGetGlyphOutline where it takes a usermode buffer count (X) and allocates a block of memory of that size, and when it tries to copy the font outline data to this buffer without validating the out of boundary conditions.

References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1255

Write-up by: Ashish Joshi