|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "T1 Font Integer Overflow"
(apple patched this) |
|||
| Line 7: | Line 7: | ||
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback. decoder‑>parse_callback address minus default address of that function to get ASLR offset. That's how it bypasses ASLR. |
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback. decoder‑>parse_callback address minus default address of that function to get ASLR offset. That's how it bypasses ASLR. |
||
| − | This vulnerability was actually addressed by Apple in {{wp|Mac OS X Snow Leopard|Mac OS X v10.6.8}}/[http://support.apple.com/kb/HT4723 Security Update 2011-004] (Its CVE identifier is ''CVE-2011-0202''.) |
+ | This vulnerability was actually addressed by Apple in {{wp|Mac OS X Snow Leopard|Mac OS X v10.6.8}}/[http://support.apple.com/kb/HT4723 Security Update 2011-004], but a fix was never pushed to [[iOS]]. (Its CVE identifier is ''CVE-2011-0202''.) |
When Apple released iOS 4.2.9/4.3.4 to patch this vulnerability, it received a different CVE identifier (CVE-2011-0226). |
When Apple released iOS 4.2.9/4.3.4 to patch this vulnerability, it received a different CVE identifier (CVE-2011-0226). |
||
Revision as of 03:01, 23 July 2011
The T1 Font Integer Overflow (A.K.A DejaVu as it is very similar to the Malformed CFF Vulnerability[1]) is a vulnerability used in Saffron.
Credit for Exploitation
Description
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback. decoder‑>parse_callback address minus default address of that function to get ASLR offset. That's how it bypasses ASLR.
This vulnerability was actually addressed by Apple in Template:Wp/Security Update 2011-004, but a fix was never pushed to iOS. (Its CVE identifier is CVE-2011-0202.)
When Apple released iOS 4.2.9/4.3.4 to patch this vulnerability, it received a different CVE identifier (CVE-2011-0226).
Sources
- Tweets from @windknown: [2][3][4][5]
- Apple KB
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0202
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226
- http://intrepidusgroup.com/insight/2011/07/reversing-jailbreakme-com-4/
- http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit
