<<< Date Index >>>     <<< Thread Index >>>

Memory overwrites in JVM via malformed TrueType font



Note: This advisory should have been published several months ago;
apologies for the delay -- John Heasman

=======
Summary
=======
Name: Memory overwrites in JVM via malformed TrueType font
Release Date: 29 October 2007
Reference: NGS00419
Discover: John Heasman <john@xxxxxxxxxxxxxxx>
Vendor: Sun Microsystems
Systems Affected: JDK and JRE 5.0 Update 9 and earlier, SDK and JRE
1.4.2_14 and earlier
Risk: High
Status: Published

========
TimeLine
========
Discovered: 20 September 2006
Released: 20 September 2006
Approved: 20 September 2006
Reported:  1 November 2006
Fixed: 15 August 2007
Published: 29 October 2007

===========
Description
===========
It is possible to cause the Java Virtual Machine to overwrite an arbitrary
memory location with an arbitrary value (repeatedly and in a stable manner) when parsing a malformed TrueType font.

Impact: By coercing a user to view a malicious web page, an attacker could
instantiate an applet that executes arbitrary native code inside the
browser.


=================
Technical Details
=================
From http://en.wikipedia.org/wiki/TrueType:

"TrueType systems include a virtual machine that executes programs inside
the font, processing the "hints" of the glyphs. These distort the control
points which define the outline, with the intention that the rasterizer
produces fewer undesirable features on the glyph. Each glyph's hinting
program takes account of the size (in pixels) that the glyph is being
displayed at, as well as other less important factors of the display
environment.

Although incapable of receiving input and producing output as normally
understood in programming, the TrueType hinting language does offer the
other prerequisites of programming languages: conditional branching (IF
statements), looping an arbitrary number of times (FOR- and WHILE-type
statements), variables (although these are simply numbered slots in an
area of memory reserved by the font), and encapsulation of code into
functions. Special instructions called "delta hints" are the lowest level
control, moving a control point at just one pixel size."

There are two instructions for writing values to the Control Value Table
(CVT) which holds global variables that can be used by multiple glyphs.
One of these functions does not perform sufficient validation on the
supplied index.  This allows a font to write a scaled value relative to
the base of the dynamically allocated CVT.  The scaling factor is based on
the requested size of the font - setting this to 32 results in a factor of
1.

In order to write to an arbitrary location the base of the CVT must first
be determined.  The instruction to read from the CVT was also found not to
validate its index, so this can be used to read memory relative to the CVT
base.  At an offset of -0x38 DWORDs there is a pointer to the end of the
CVT; this can be used to determine the CVT base. The end result is that an
arbitrary value can be written to an arbitrary value repeatedly.  An
attacker can make use of the VM instructions to implement "pre-exploit"
logic that determines the browser, operating system and architecture
before deploying a chosen payload.  This facilitates creation of a
cross-browser, cross-operating system, cross-architecture exploit.

===============
Fix Information
===============
This issue is addressed in the following releases (for Solaris, Linux, and
Windows):

JDK and JRE 5.0 Update 10 or later
SDK and JRE 1.4.2_15 or later

Further information is available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103024-1


NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402