Deadly Windows, Reader font bugs can lead to full system compromise

“Even in 2015 – the era of high-quality mitigations and security mechanisms – one good bug still suffices for a complete system compromise,” Mateusz Jurczyk, an infosec engineer with Google Project Zero, noted in a recent talk at the REcon security conference in Montreal.

In this talk, he shared his discovery of not one but fifteen flaws of varying severity in a number of font engines used by Microsoft’s Windows, Adobe’s Reader software, popular modern browsers, and so on.

“Some months ago, I started reverse engineering and investigating the security posture of the Adobe Type Manager Font Driver (ATMFD.DLL) module, which provides support for Type 1 and OpenType fonts in the Windows kernel since Windows NT 4.0, and remains there up to this day in Windows 8.1,” he explained in a blog post published on Wednesday.

“Specifically, I focused on the handling of so-called ‘CharStrings’, which are essentially binary encoded PostScript programs with a dedicated set of instructions and a specific execution environment, responsible for drawing the shape of each glyph at a particular point size.”

He discovered a bloated function, low quality code, and the fact that various modern font engines have a common ancestor in Adobe’s implementation of Type 1 / OpenType fonts, meaning that a vulnerability in the latter is very likely to exist in and affect the former.

Among the vulnerabilities he unearthed is a particularly severe one that affects both Microsoft Windows and Adobe Reader (CVE-2015-0093 and CVE-2015-3052, respectively).

This particular vulnerability stood out from the others, as it “could reliably generate a full ROP chain on the stack within the PostScript program, with no external interaction other than loading the font in the first place.”

“The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far,” he noted.

While the vulnerability does not affect 64-bit builds of Windows, Jurczyk exploited another CharString vulnerability (CVE-2015-0090) he found to achieve the same goal by bypassing all mitigations offered by the OS.

He noted that font vulnerabilities are far from extinct, and that until font processing is removed from all privileged security contexts, there will always be some. According to him Microsoft is moving in the right direction with Windows 10, in which they introduced a separated user-land font driver.

His research also pointed out the problem of shared (bad quality) native codebases.

All the vulnerabilities he discovered have already been patched in the last few months, and users who regularly update their Windows and Adobe Reader are safe from exploitation.

For those interested in the technical details, Jurczyk has provided a ton of material – including PoC code and exploit demos – in his blog post and the slides from the talk.