Closed
Bug 909417
Opened 11 years ago
Closed 10 years ago
Remote vulnerability in TrueType font
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: curtisk, Assigned: jtd, NeedInfo)
Details
(Whiteboard: [reporter-external])
Attachments
(5 files)
From: lclee_vx <lclee_vx@f13-labs.net> Subject: Re: Remote font vulnerabilities in Firefox Date: Sat, 24 Aug 2013 12:55:00 +0800 References: <5174D91C.7030806@mozilla.org> To: Mozilla Security <security@mozilla.org> -----//----- Dear Mozilla Security, Attached is the latest bug for truetype font. Tested with: Date Discovered: 21 August 2013 Browser: Firefox Latest version OS : Windows 8.1 Preview, Windows 8.0 Pro, Windows Ultimate 7 Details: please refer to the analysis report in attachment thanks, from lclee_vx /F-13 Labs //////////--\\\\\\\\\\ Begin thread \\\\\\\\\\--////////// Hi, I just saw the slides from your Infiltrate talk on True-Type Font fuzzing. Looks like it was a good talk and fonts are definitely a worrying vector for us as a browser vendor. Your diagram of the remote font attack vector on slide 46 shows a Firefox logo being exploited. Was this diagram a threat model that shows why font fuzzing is an interesting topic (accurate!) or did you find an actual malformed font attack you could smuggle through Firefox? Although malformed fonts trigger crashes in Windows, we do consider it a Firefox vulnerability also since the browser's automatic actions have put the user at risk. Both Firefox and Chrome try to protect against such malformed fonts with the Open-Type Sanitizer (OTS) library. The ability to slip a malicious font past OTS has been worth Mozilla Bug Bounties in the past and I invite you to submit it to us if you have found one. The Chrome bug bounty probably covers OTS failures as well (I can't officially speak for them, of course) so if you find one you can report it to both of us. Thank you, -- Daniel Veditz Mozilla Security Team
Reporter | ||
Updated•11 years ago
|
Flags: sec-bounty?
Whiteboard: [reporter-external]s → [reporter-external]
Comment 1•11 years ago
|
||
Lee, could you provide a stack trace of that crash as additional information?
Severity: normal → critical
Comment 2•11 years ago
|
||
Comment 3•11 years ago
|
||
Comment 4•11 years ago
|
||
Comment 5•11 years ago
|
||
Does not reproduce for me on 64-bit Win 7 Pro SP1. Is this something MS patched recently or does it still reproduce on Win 7 Ultimate?
Updated•11 years ago
|
Flags: needinfo?(mwobensmith)
Updated•11 years ago
|
Flags: needinfo?(lclee_vx)
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → jdaggett
Assignee | ||
Comment 6•11 years ago
|
||
This is an attack on Microsoft's TrueType instruction VM. Based on the description in the details.docx document, this isn't something that's easy to defend against. The OTS code doesn't try to validate the fpgm table except in the most superficial way. So if the underlying OS vulnerability is there, we will be exposed to it. The one question I have is whether the same VM is used for both DirectWrite and GDI. I'm guessing this is an attack on the GDI VM but we should confirm that. If the VM's are different, one option would be to always force use of DirectWrite and use the software fallback path when hardware acceleration isn't available. Currently we fallback to GDI usage in this situation.
Assignee | ||
Comment 7•11 years ago
|
||
No crash testing on Windows 7 Pro and Windows 8 Pro with and without DirectWrite enabled. Running with latest trunk.
Comment 8•11 years ago
|
||
Sorry for late reply. i reproduce on windows 8 pro 32 bit
Flags: needinfo?(mwobensmith)
Flags: needinfo?(lclee_vx)
Updated•11 years ago
|
Hardware: x86_64 → x86
Updated•11 years ago
|
OS: Windows 7 → Windows 8
Updated•11 years ago
|
Attachment #797309 -
Attachment mime type: application/octet-stream → application/java-archive
Comment 9•11 years ago
|
||
I get a Win8 64 blue screen of death as soon as I copy the TTF file over. I'm not even able to launch the PoC HTML file to examine Firefox. The OS says "UNEXPECTED_KERNEL_MODE_TRAP" and I get a lovely reboot. On Win7 64, no crash.
Comment 10•11 years ago
|
||
On further thought, I realized that I should probably be running this from a web server. I did, but no crash there. The font renders correctly in both today's Firefox m-c and IE10 as well. I've also noticed that the font no longer crashes the Win8 64 OS today, so I no longer have a baseline to compare this to. In summary, it's now inconclusive, and I can't say if FF mishandles this font or not.
Comment 11•11 years ago
|
||
Tested on Windows 8.1 Pro (x86) with browsing to the web server (setup with XAMPP), crash as usual. I not understand what wrong with your setup? (In reply to Matt Wobensmith from comment #10) > On further thought, I realized that I should probably be running this from a > web server. I did, but no crash there. The font renders correctly in both > today's Firefox m-c and IE10 as well. > > I've also noticed that the font no longer crashes the Win8 64 OS today, so I > no longer have a baseline to compare this to. > > In summary, it's now inconclusive, and I can't say if FF mishandles this > font or not.
Comment 12•11 years ago
|
||
Additional info: i use the latest version of firefox. IE not accept the TrueType font embedding in the browser. I will test the Windows 8.1 Pro x64 (In reply to Ling Chuan Lee from comment #11) > Tested on Windows 8.1 Pro (x86) with browsing to the web server (setup with > XAMPP), crash as usual. I not understand what wrong with your setup? > > (In reply to Matt Wobensmith from comment #10) > > On further thought, I realized that I should probably be running this from a > > web server. I did, but no crash there. The font renders correctly in both > > today's Firefox m-c and IE10 as well. > > > > I've also noticed that the font no longer crashes the Win8 64 OS today, so I > > no longer have a baseline to compare this to. > > > > In summary, it's now inconclusive, and I can't say if FF mishandles this > > font or not.
Assignee | ||
Comment 13•11 years ago
|
||
(In reply to Ling Chuan Lee from comment #12) > Additional info: i use the latest version of firefox. IE not accept the > TrueType font embedding in the browser. I will test the Windows 8.1 Pro x64 Ling, if you convert your TrueType font to woff format, IE should load the font just fine.
Updated•11 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 14•11 years ago
|
||
i converted to woff format and crash the system as well. tested on: - Windows 8.1 Pro - Firefox/Chrome (crash) - IE (no crash) file as per attached.
Updated•11 years ago
|
Attachment #830523 -
Attachment mime type: application/zip → application/java-archive
Comment 15•10 years ago
|
||
@matt could you try again with Lee's new file in its new format?
Flags: needinfo?(mwobensmith)
Comment 16•10 years ago
|
||
Using today's Firefox m-c nightly, on a fully patched Win8 x86 system, I see no crash with the woff format version or the original.
Flags: needinfo?(mwobensmith)
Comment 17•10 years ago
|
||
I also tried the latest Chrome - no crash there either. If it was an underlying OS issue, it could have been fixed.
Assignee | ||
Comment 18•10 years ago
|
||
(In reply to Matt Wobensmith from comment #16) > Using today's Firefox m-c nightly, on a fully patched Win8 x86 system, I see > no crash with the woff format version or the original. Could you put in the example OS version number you're testing on? Is it 8.0 or 8.1?
Comment 19•10 years ago
|
||
Sorry - I should have mentioned that this is Windows 8.0. I don't currently have access to 8.1.
Assignee | ||
Comment 20•10 years ago
|
||
(In reply to Ling Chuan Lee from comment #14) > Created attachment 830523 [details] > Convert to WOFF > > i converted to woff format and crash the system as well. > tested on: > - Windows 8.1 Pro > - Firefox/Chrome (crash) > - IE (no crash) Is DirectWrite enabled or not when you run Firefox? Enter 'about:support' and look in the subsection under 'Graphics', you'll see information on whether DirectWrite is enabled or not. If IE doesn't crash it may mean that the exploit is specific to the GDI font loader code and doesn't affect the DirectWrite font loader code (IE on Windows 8 only uses DirectWrite).
Updated•10 years ago
|
Flags: needinfo?(lclee_vx)
Comment 21•10 years ago
|
||
I retested this on Win 8.1 and turned off DirectWrite (set gfx.direct2d.disabled to true) and still did not crash.
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → INCOMPLETE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•