Of TrueType Font Vulnerabilities and the Windows Kernel

This month’s Patch Tuesday security bulletins called attention to vulnerabilities in the Windows kernel’s font-processing engine, which had been exploited previously in Duqu and other targeted attacks.

Font-parsing vulnerabilities weren’t part of the security consciousness much until the discovery of Duqu at the end of 2011. The spy malware hooked into the Windows kernel through bugs in the TrueType font file parsing engine, and not only breathed new life into the concept of cyber espionage, but helped rejuvenate an interest in kernel-level vulnerabilities and exploits.

Already this year, there have been successful sandbox bypasses leading to kernel compromises demonstrated at Pwn2Own and Black Hat EU. And every single Patch Tuesday release from Microsoft going back to last October has included patches for kernel bugs, including some being actively exploited in the wild. The July Patch Tuesday updates released this week were particularly noteworthy with three separate bulletins addressing vulnerabilities in seven different Microsoft products affected by the same TrueType font flaw.

This dynamic seems to bust the myth that attackers are solely interested in Web-based vulnerabilities and attacks against Java or Adobe bugs. Kernel attacks may be difficult, but they deliver hackers what they covet most: root access to computers, complete system compromises, and the ability to remotely inject code on a whim. And let’s not forget that kernel-based attacks are starting to go mainstream, given the fact that the Duqu exploit has been folded into the Blackhole and Cool exploit kits, even though most of these vulnerabilities, the Duqu vulnernability included, have been patched.

White hats—and criminals—have been paying particularly close attention to the TrueType font file exploits. Attacks like these are executed via an embedded malicious font file dropped into an Office document, such as a Word file. Once the user opens the malicious file—delivered either via a spear phishing email or over the Web—the exploit targets a vulnerability in kernel -mode drivers that improperly handle malicious TrueType font files.

“TrueType font parsing is complicated and often maintains nested code. Its handling exercises code paths that expose both user-land and kernel mode vulnerabilities,” said Kurt Baumgartner, principal security researcher at Kaspersky Lab. “On the Windows platform, much of the same code is maintained across versions of the OS. So the same vulnerability can be exploited across every version of the platform, although the exploit may need to be somewhat adapted to each OS version.”

Three July Patch Tuesday bulletins—MS13-052, M13-053 and MS13-054—illustrate this point. Vulnerabilities in Microsoft Office, Lync, Visual Studio, .NET, Silverlight, and Windows components such as GDI+ were patched in relation to the TrueType flaw.

“TrueType vulnerabilities are difficult to exploit. But once they are, the exploits themselves can be reliable and difficult for antimalware solutions to handle,” Baumgartner said. “Even though the code abused by a TrueType exploit resides in the kernel, this portion of the kernel is different from and much less active than trying to deliver bits to highly active code handling network traffic, for example.”

The fact that Microsoft has been patching kernel bugs with greater frequency could indicate a spike in hacker interest, TrueType- and OpenType-based are particularly attractive because they don’t require user permission to interact with the core of the OS.

“Regarding TrueType Font (TTF) based attacks, it is important to note that not all TTF processing takes place in kernel-space.  Depending on what vector is used to provide a crafted TTF, an attacker may get SYSTEM access or may just get access in the context of the affected process,” said Craig Young, security researcher at Tripwire.

An exploit against the GDI+ vulnerability patched this week in MS13-054, Young said, would provide such kernel-space compromise of the system. Others, however, expose only the user-mode font processing and would not lead to complete system compromise.

“TrueType and OpenType font based attacks are definitely part of the mainstream attacker toolkit.  These types of font files contain tables of data describing the curves as well as instructions which must be interpreted when rendering text,” Young said. “This complexity makes it possible to have nice looking typesets but it also makes fonts very attractive to attackers due to the large attack surface and kernel involvement.”

“Creating an exploit capable of reliable code execution on a modern operating system is always difficult but researchers and attackers have certainly had great success in doing so with various crafted fonts,” Young added. “Once the crafted font has been developed, it is very easy to compromise victims by getting them to visit a web site or open a document. This technique can be quite effective as fonts are commonly rendered without asking user permission.  It is a vector which lends itself very well to the spear-phishing and watering-hole techniques employed by APT as well as organized crime syndicates.”

It’s certainly true for white hats; Rahul Kashyap, chief security architect at virtualization security company Bromium told Threatpost in March that he and fellow research Rafal Wojtczuk followed Duqu’s lead in exploiting TrueType vulnerabilities to access and own the kernel. They demonstrated at Black Hat EU how to use a commercial Windows-based sandbox called Sandboxie, which interfaces with the kernel in order for arbitrary code to run properly, to pull off a system compromise. With fonts, for example, Kashyap said a kernel call has to be made from the sandbox to the kernel; the sandbox has to allow the call to pass in order for, in this case, the font to render properly.

“Duqu exploited this vulnerability in font parsing to compromise the host. All of these kernel interfaces are bypassable by Duqu,” Kashyap said. “Using several exploits for bugs in the way calls are handled by the kernel, it was easy to get a blue screen.”

The trick is in the fact that the sandbox doesn’t intercept font parsing calls to the kernel for performance reasons and the fonts would not be processed properly, he said.

“There is a lot of exposure from the OS kernel that people don’t realize,” he said. “The moment you compromise the kernel, you have the same privileges as the kernel. You can disable the sandbox, access other programs and data and breach everything out there. With most Java exploits, for example, you still have to do privilege escalation. With the kernel, this is the worst-case scenario.”

Suggested articles