Remote vulnerability in TrueType font

RESOLVED INCOMPLETE

Status

()

Core
Security
--
critical
RESOLVED INCOMPLETE
4 years ago
2 years ago

People

(Reporter: curtisk, Assigned: jtd, NeedInfo)

Tracking

unspecified
x86
Windows 8
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [reporter-external])

Attachments

(5 attachments)

From: lclee_vx <lclee_vx@f13-labs.net>
Subject: Re: Remote font vulnerabilities in Firefox
Date: Sat, 24 Aug 2013 12:55:00 +0800
References: <5174D91C.7030806@mozilla.org>
To: Mozilla Security <security@mozilla.org>
-----//-----
Dear Mozilla Security,

Attached is the latest bug for truetype font. Tested with:
Date Discovered: 21 August 2013
Browser: Firefox Latest version
OS : Windows 8.1 Preview, Windows 8.0 Pro, Windows Ultimate 7
Details: please refer to the analysis report in attachment

thanks,
from lclee_vx /F-13 Labs
//////////--\\\\\\\\\\
Begin thread
\\\\\\\\\\--//////////
Hi, I just saw the slides from your Infiltrate talk on True-Type Font fuzzing. Looks like it was a good talk and fonts are definitely a worrying vector for us as a browser vendor.

Your diagram of the remote font attack vector on slide 46 shows a Firefox logo being exploited. Was this diagram a threat model that shows why font fuzzing is an interesting topic (accurate!) or did you find an actual malformed font attack you could smuggle through Firefox?

Although malformed fonts trigger crashes in Windows, we do consider it a Firefox vulnerability also since the browser's automatic actions have put the user at risk. Both Firefox and Chrome try to protect against such malformed fonts with the Open-Type Sanitizer (OTS) library. The ability to slip a malicious font past OTS has been worth Mozilla Bug Bounties in the past and I invite you to submit it to us if you have found one. The Chrome bug bounty probably covers OTS failures as well (I can't officially speak for them, of course) so if you find one you can report it to both of us.

Thank you,
-- 
Daniel Veditz
Mozilla Security Team
Flags: sec-bounty?
Whiteboard: [reporter-external]s → [reporter-external]
Lee, could you provide a stack trace of that crash as additional information?
Severity: normal → critical
Created attachment 795545 [details]
Details.docx
Created attachment 795546 [details]
Crash.html
Created attachment 795547 [details]
fuzzed_2.ttf
Does not reproduce for me on 64-bit Win 7 Pro SP1. Is this something MS patched recently or does it still reproduce on Win 7 Ultimate?
Flags: needinfo?(mwobensmith)
Flags: needinfo?(lclee_vx)
(Assignee)

Updated

4 years ago
Assignee: nobody → jdaggett
(Assignee)

Comment 6

4 years ago
This is an attack on Microsoft's TrueType instruction VM.  Based on the description in the details.docx document, this isn't something that's easy to defend against.  The OTS code doesn't try to validate the fpgm table except in the most superficial way.  So if the underlying OS vulnerability is there, we will be exposed to it.

The one question I have is whether the same VM is used for both DirectWrite and GDI.  I'm guessing this is an attack on the GDI VM but we should confirm that.  If the VM's are different, one option would be to always force use of DirectWrite and use the software fallback path when hardware acceleration isn't available.  Currently we fallback to GDI usage in this situation.
(Assignee)

Comment 7

4 years ago
No crash testing on Windows 7 Pro and Windows 8 Pro with and without DirectWrite enabled.  Running with latest trunk.

Comment 8

4 years ago
Created attachment 797309 [details]
082913-37674-01.dmp.zip is the crash dump i reproduced on windows 8 Pro 32 bit

Sorry for late reply. i reproduce on windows 8 pro 32 bit
Flags: needinfo?(mwobensmith)
Flags: needinfo?(lclee_vx)
Hardware: x86_64 → x86
OS: Windows 7 → Windows 8
Attachment #797309 - Attachment mime type: application/octet-stream → application/java-archive
I get a Win8 64 blue screen of death as soon as I copy the TTF file over. I'm not even able to launch the PoC HTML file to examine Firefox. The OS says "UNEXPECTED_KERNEL_MODE_TRAP" and I get a lovely reboot.

On Win7 64, no crash.
On further thought, I realized that I should probably be running this from a web server. I did, but no crash there. The font renders correctly in both today's Firefox m-c and IE10 as well.

I've also noticed that the font no longer crashes the Win8 64 OS today, so I no longer have a baseline to compare this to.

In summary, it's now inconclusive, and I can't say if FF mishandles this font or not.

Comment 11

4 years ago
Tested on Windows 8.1 Pro (x86) with browsing to the web server (setup with XAMPP), crash as usual. I not understand what wrong with your setup?

(In reply to Matt Wobensmith from comment #10)
> On further thought, I realized that I should probably be running this from a
> web server. I did, but no crash there. The font renders correctly in both
> today's Firefox m-c and IE10 as well.
> 
> I've also noticed that the font no longer crashes the Win8 64 OS today, so I
> no longer have a baseline to compare this to.
> 
> In summary, it's now inconclusive, and I can't say if FF mishandles this
> font or not.

Comment 12

4 years ago
Additional info: i use the latest version of firefox. IE not accept the TrueType font embedding in the browser. I will test the Windows 8.1 Pro x64  

(In reply to Ling Chuan Lee from comment #11)
> Tested on Windows 8.1 Pro (x86) with browsing to the web server (setup with
> XAMPP), crash as usual. I not understand what wrong with your setup?
> 
> (In reply to Matt Wobensmith from comment #10)
> > On further thought, I realized that I should probably be running this from a
> > web server. I did, but no crash there. The font renders correctly in both
> > today's Firefox m-c and IE10 as well.
> > 
> > I've also noticed that the font no longer crashes the Win8 64 OS today, so I
> > no longer have a baseline to compare this to.
> > 
> > In summary, it's now inconclusive, and I can't say if FF mishandles this
> > font or not.
(Assignee)

Comment 13

4 years ago
(In reply to Ling Chuan Lee from comment #12)
> Additional info: i use the latest version of firefox. IE not accept the
> TrueType font embedding in the browser. I will test the Windows 8.1 Pro x64  

Ling, if you convert your TrueType font to woff format, IE should load the font just fine.
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 14

4 years ago
Created attachment 830523 [details]
Convert to WOFF

i converted to woff format and crash the system as well.
tested on:
- Windows 8.1 Pro
- Firefox/Chrome (crash)
- IE (no crash)

file as per attached.
Attachment #830523 - Attachment mime type: application/zip → application/java-archive
@matt could you try again with Lee's new file in its new format?
Flags: needinfo?(mwobensmith)
Using today's Firefox m-c nightly, on a fully patched Win8 x86 system, I see no crash with the woff format version or the original.
Flags: needinfo?(mwobensmith)
I also tried the latest Chrome - no crash there either. If it was an underlying OS issue, it could have been fixed.
(Assignee)

Comment 18

4 years ago
(In reply to Matt Wobensmith from comment #16)
> Using today's Firefox m-c nightly, on a fully patched Win8 x86 system, I see
> no crash with the woff format version or the original.

Could you put in the example OS version number you're testing on? Is it 8.0 or 8.1?
Sorry - I should have mentioned that this is Windows 8.0. I don't currently have access to 8.1.
(Assignee)

Comment 20

4 years ago
(In reply to Ling Chuan Lee from comment #14)
> Created attachment 830523 [details]
> Convert to WOFF
> 
> i converted to woff format and crash the system as well.
> tested on:
> - Windows 8.1 Pro
> - Firefox/Chrome (crash)
> - IE (no crash)

Is DirectWrite enabled or not when you run Firefox? Enter 'about:support' and look in the subsection under 'Graphics', you'll see information on whether DirectWrite is enabled or not.  If IE doesn't crash it may mean that the exploit is specific to the GDI font loader code and doesn't affect the DirectWrite font loader code (IE on Windows 8 only uses DirectWrite).
Flags: needinfo?(lclee_vx)
I retested this on Win 8.1 and turned off DirectWrite (set gfx.direct2d.disabled to true) and still did not crash.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → INCOMPLETE

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.