A Google Project Zero researcher has publicly disclosed details on a number of patched Adobe and Microsoft vulnerabilities, including one in the Adobe Type Manager Font Driver that could enable takeover of a number of systems supporting modern font engines.
Mateusz Jurczyk pointed the finger at how CharStrings are handled as the principal culprit, in particular the quality of its interpreter function in ATMFD.dll; CharStrings provide instructions for drawing the shape of each glyph at a particular point size, he said.
ATMFD.dll has supported Type 1 and OpenType fonts in the Windows kernel dating back to NT 4.0. The researcher said that the Windows kernel module has used the same interpreter for both Type 1 and OpenType CharStrings, supporting every function in the specification, bloating it unnecessarily. He theorized that critical vulnerabilities existing in the code could be shared across a number of desktop software implementations. For example, Adobe’s implementation of the Type 1 and OpenType fonts are found in Windows GDI, Adobe Reader, Microsoft DirectWrite library, and Windows Presentation Foundation.
“I have ended up with multiple low to critical severity issues, with most of the serious ones reproducing in more than one font engine,” Jurczyk said.
All 15 bugs have been patched by Adobe and Microsoft in April and May. The other vulnerabilities include buffer overflows, out-of-bounds reads and writes, memory disclosure and read/write-what-where in LOAD and STORE operators.
The ATMFD bug, however, stands out, Jurczyk said.
“It provided a specially crafted font with the ability to operate on any data on the thread’s stack with all instructions available in the Type 1 / Type 2 Charstring instruction set (including arithmetic, logic, conditional, and other instructions),” Jurczyk said. “In other words, one could reliably generate a full ROP chain on the stack within the PostScript program, with no external interaction other than loading the font in the first place.”
The bug could enable an attacker to chain together exploits that result in full system compromise using just the one vulnerability, he said. The bug affects only 32-bit systems, but Jurczyk said he found another CharString bug to gain privilege escalation on 64-bit systems that is reliable and bypasses existing mitigations.
Jurczyk presented his findings this weekend at the Recon conference in Canada during a presentation called “One Font Vulnerability to Rule them All: A Story of Cross-Software Ownage, Shared Codebases, and Advanced Exploitation.”