PDA

Bekijk Volledige Versie : Fw: Opentype font file causes Windows to restart.



Leonardo Rodrigues
07/01/03, 04:04
i've confirmed it here. I'm running Windows XP Corporate Edition (
English ) with SP1 applied and all other fixes available on
windowsupdate.microsoft.com. Opening the file you sent causes an
immediately reboot of the machine. That's very strange, for sure :)

Sincerily,
Leonardo Rodrigues

----- Original Message -----
From: "Andrew" <aconnell@xtra.co.nz>
To: <bugtraq@securityfocus.com>; <vulnwatch@vulnwatch.org>
Sent: Monday, January 06, 2003 12:36 PM
Subject: Opentype font file causes Windows to restart.


> Problem
> -------
>
> The attached OpenType font file will cause Windows to restart
> immediately when the file is opened by the default viewer (fontview).
> I doubt anyone would suspect a "harmless" little font file of being
> able to cause such a thing to happen!
>
> Software affected
> -----------------
> It has been tested on both Windows 2000 and Windows XP with exactly
> the same result -- an immediate restart. Other versions of Windows
> are untested.
>
> Fix
> ---
> No fix known.
>

Mark Litchfield
07/01/03, 04:45
Tested on .NET Enterprise server - no restart.

Regards

Mark
----- Original Message -----
From: "Andrew" <aconnell@xtra.co.nz>
To: <bugtraq@securityfocus.com>; <vulnwatch@vulnwatch.org>
Sent: Monday, January 06, 2003 7:36 AM
Subject: Opentype font file causes Windows to restart.


> Problem
> -------
>
> The attached OpenType font file will cause Windows to restart
> immediately when the file is opened by the default viewer (fontview).
> I doubt anyone would suspect a "harmless" little font file of being
> able to cause such a thing to happen!
>
> Software affected
> -----------------
> It has been tested on both Windows 2000 and Windows XP with exactly
> the same result -- an immediate restart. Other versions of Windows
> are untested.
>
> Fix
> ---
> No fix known.
>
>
>
> - Andrew Connell

Berend-Jan Wever
08/01/03, 02:33
Nope, I tried this: read
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/ref
erence/properties/fontface.asp

Embeded fonts are of a different filetype (eot or ote)
Maybe the same bug can be embedded in this filetype, but you'd first have to
figure out what's triggering this and reproduce it in a eot or ote file.

Berend-Jan Wever

----- Original Message -----
From: "dildog" <dildog@atstake.com>
To: <bugtraq@securityfocus.com>
Sent: Tuesday, January 07, 2003 5:37
Subject: Re: Opentype font file causes Windows to restart.


>
> I suppose that IE's 'automatic font download' support (which is on by
> default) would exacerbate this problem, correct?
>
> --dil
>
>

Vess Nedevski
08/01/03, 03:45
The problem seems to be only with W2000 and WXP. W2000 with SP3 bluescreened with STOP 0x00000050, where WXP with SP1 just rebooted without even a bluescreen. W98 or WNT don't seem to be affected.

>>> "Berend-Jan Wever" <SkyLined@edup.tudelft.nl> 01/07/03 12:09PM >>>
Nope, I tried this: read
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/ref
erence/properties/fontface.asp

Embeded fonts are of a different filetype (eot or ote)
Maybe the same bug can be embedded in this filetype, but you'd first have to
figure out what's triggering this and reproduce it in a eot or ote file.

Berend-Jan Wever

----- Original Message -----
From: "dildog" <dildog@atstake.com>
To: <bugtraq@securityfocus.com>
Sent: Tuesday, January 07, 2003 5:37
Subject: Re: Opentype font file causes Windows to restart.


>
> I suppose that IE's 'automatic font download' support (which is on by
> default) would exacerbate this problem, correct?
>
> --dil
>
>

Kim Scarborough
08/01/03, 04:57
dildog wrote:
> I suppose that IE's 'automatic font download' support (which is on by
> default) would exacerbate this problem, correct?

If you mean IE's font embedding support, it's unclear. Embedded font files are
a different format than standard font files (to prevent piracy). They are not
viewable in Font Viewer, so I doubt this same sort of attack could be done
that way. If the folks who gave us this OTF want to try it on a EOT file (MS's
embedding format) and see if they can crash IE (or get it to execute code),
that'd be interesting.

If you mean IE's international support, which will download fonts when
necessary, then yes, it would be vulnerable to this attack, but since it only
downloads those files directly from Microsoft, it's no more of a danger than a
Service Pack or anything else you get from them. If MS's download area is
compromised, people have a lot more to fear than trojaned font files.

--
----------------------------------------------------------------------------
Kim Scarborough Web Systems Administrator
University of Chicago/NSIT (773) 834-7740
----------------------------------------------------------------------------

dildog
15/01/03, 21:38
I suppose that IE's 'automatic font download' support (which is on by
default) would exacerbate this problem, correct?

--dil

Ben Naylor
15/01/03, 22:40
Tested on Windows NT4 SP6a.
Had to force opening with fontview as it was not associated by default.
No restart, just message "Not a valid font file".



-----Original Message-----
From: Andrew [mailto:aconnell@xtra.co.nz]
Sent: 06 January 2003 15:37
To: bugtraq@securityfocus.com; vulnwatch@vulnwatch.org
Subject: Opentype font file causes Windows to restart.


Problem
-------

The attached OpenType font file will cause Windows to restart
immediately when the file is opened by the default viewer (fontview).
I doubt anyone would suspect a "harmless" little font file of being
able to cause such a thing to happen!

Software affected
-----------------
It has been tested on both Windows 2000 and Windows XP with exactly
the same result -- an immediate restart. Other versions of Windows
are untested.

Fix
---
No fix known.



- Andrew Connell

Discini, Sonny
15/01/03, 23:20
Windows98 - No reboot.=20

-----Original Message-----
From: Andrew [mailto:aconnell@xtra.co.nz]=20
Sent: Monday, January 06, 2003 10:37 AM
To: bugtraq@securityfocus.com; vulnwatch@vulnwatch.org
Subject: Opentype font file causes Windows to restart.


Problem
-------

The attached OpenType font file will cause Windows to restart
immediately when the file is opened by the default viewer (fontview). I
doubt anyone would suspect a "harmless" little font file of being able
to cause such a thing to happen!

Software affected
-----------------
It has been tested on both Windows 2000 and Windows XP with exactly the
same result -- an immediate restart. Other versions of Windows are
untested.

Fix
---
No fix known.



- Andrew Connell

Kaspar Brand
16/01/03, 00:29
--------------010407090504000403060107
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

[Since my first attempt yesterday was not approved by the BugTraq
moderator, I'm trying it again, this time in a slightly different format
and CC'ing vulnwatch, too.]

The problem is due to "incorrect" data in the "CFF" table of this font -
for details, please see the attached message I sent to the OpenType
mailing list (http://www.topica.com/lists/opentype - note that I have
omitted the attachment to this message, which was Andrew's original
BugTraq posting).

This specific flavor of an OpenType font (CFF outlines, i.e.
"PostScript" data) is only supported natively by Windows 2000 and later.
For previous Windows versions, you need ATM (Adobe Type Manager) to
display such a font. Please note that the crash only occurs when trying
to render the "o" character (that's what fontview.exe tries to do, of
course).

As far as the creation of an embedded font for IE (.eot, embedded
OpenType) is concerned, I'm not sure if it's possible to trigger the bug
this way. When installing the "restarter" font and listing the fonts
available for embedding in WEFT, Microsoft's Web Embedding Fonts Tool
(the only publicly available tool I know of to create such fonts),
OpenType fonts with CFF outline data do not appear in the list of
available fonts. I suppose WEFT is currently limited to embed OpenType
fonts with TrueType outlines ("glyf" table) or plain PostScript Type 1
fonts (.pfb file suffix). The .eot format is not documented, as far as I
know, so creating such a font manually would probably require quite some
experimenting, and even then the question remains if IE would actually
be able to deal with this font format and display the characters.

Kaspar





--------------010407090504000403060107
Content-Type: message/rfc822;
name="[Fwd: Opentype font file causes Windows to restart.].eml"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="[Fwd: Opentype font file causes Windows to restart.].eml"

Message-ID: <3E1D2B97.6030001@velox.ch>
Date: Wed, 08 Jan 2003 10:33:06 +0100
From: Kaspar Brand <ot@velox.ch>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: opentype@topica.com
Subject: [Fwd: Opentype font file causes Windows to restart.]
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

This was recently posted to BugTraq (a mailing list about computer
security vulnerabilities, for those who don't know).

Further inspection of the font file shows that the problem is in the CFF
table - or more exactly, within the "o" character. Disassembling the
font with Just's excellent TTX (http://fonttools.sourceforge.net)
produces the following result for the "o" character:


<CharString name="o">
10 290 rmoveto
6 -1 7 1 2 -1 -1 -1 -1 -4 1 -4 1 -3 1 -5 1 -3 1 -5 1 -3 1 -4
1 -1 1 1 1 4 1 2 1 5 1 2 1 4 1 5 -1 5 -1 2 -1 2 -1 1 14 -1 -1 -7 1 -5 1
-4 1 -5 1 -3 1 -4 1 -4 2 2 1 4 1 4 1 3 1 5 1 4 1 4 1 6 -1 1 10 -1 -1 -2
-1 -1 -1 -5 -1 -2 -1 -4 -1 -3 -1 -4 -1 -3 -1 -3 -1 -4 -1 -3 -1 -4 -1 -3
-1 -3 -1 -1 -8 2 -1 3 -1 5 -1 3 -1 4 -1 3 -1 4 -2 -2 -1 -4 -1 -3 -1 -4
-1 -3 -1 -4 -1 -3 -1 -1 -8 1 -1 4 -1 3 -1 4 -1 3 -1 4 -1 3 -1 3 -1 4 -1
3 -1 4 -1 3 -1 4 -1 2 -1 1 -1 1 hlineto
69 hmoveto
8 -1 28 -9 -1 2 -1 1 -3 1 -17 -1 -1 -13 14 2 1 1 1 -12 -2 2
-1 1 -13 -16 20 1 1 1 1 1 1 2 1 2 1 -8 -1 -4 -37 1 1 1 1 43 -2 2 hlineto
223 hmoveto
16 -1 4 -1 2 -10 1 -3 -2 3 -1 1 -1 1 -1 1 -1 1 -2 1 -2 1 -11
-1 -2 -1 -2 -1 -1 -1 -1 -1 -1 -1 -1 -2 -1 -2 -1 -7 -1 -2 1 -6 1 -3 1 -1
1 -2 1 -1 1 -1 1 -1 1 -1 2 -1 3 -1 4 1 3 1 1 1 1 1 1 3 1 6 -1 2 -2 1 -2
1 7 -1 1 1 2 -1 1 1 6 -1 -1 -1 -1 -2 -1 -17 -4 2 -1 2 -2 -1 -1 -1 -1 -1
-2 -1 -2 -1 -4 -1 -7 1 -4 1 -3 1 -2 1 -1 1 -1 1 -1 1 -1 1 -1 1 -1 1 -1 2
-1 2 -1 3 -1 14 1 3 1 2 1 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 1 2 1 2 1 3 1
hlineto

[... some more hmoveto/hlineto stuff deleted ...]

endchar
</CharString>


Some simple experiments modifying this Charstring and reassembling the
font with TTX showed that the crash is caused by the arguments to the
hlineto operator. The Type 2 charstring specification
(http://partners.adobe.com/asn/developer/pdfs/tn/5177.Type2.pdf) defines
an implementation limit of 48 for the argument stack (Appendix B, p.33)
- but in some cases, the number of arguments to the hlineto operator in
this particular Charstring clearly exceed this limit.

In the end, this apparently leads to a page fault (i.e. a "blue screen")
in ATMFD.DLL (the Type1/CFF font driver) - which shouldn't happen in any
case, of course. I guess the folks at Adobe need to fix this.

BTW, checking the font with CFFChecker from the OpenType FDK gives a
"Type 2 stack overflow" for this character (which is not really
surprising, is it?).

Kaspar







--------------010407090504000403060107--

Armstrong, Richard
17/01/03, 22:35
Once you have the font installed on the target machine I have
demonstrated on WinXP SP1 with Outlook 2002 you simply have to send an
email with some text formatted with the restarter.otf font and the
machine will reboot once you scroll down to that part of the message
either through opening it or via the preview pane of Outlook.

Rich

-----Original Message-----
From: dildog [mailto:dildog@atstake.com]=20
Sent: Monday, January 06, 2003 10:38 PM
To: bugtraq@securityfocus.com
Subject: Re: Opentype font file causes Windows to restart.


I suppose that IE's 'automatic font download' support (which is on by
default) would exacerbate this problem, correct?

--dil