Difference between revisions of "Malformed CFF Vulnerability"

From The iPhone Wiki
Jump to: navigation, search
m (IOService to IOSurface)
m (Added CVE)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
This vulnerability, along with the [[IOSurface Kernel Exploit]], was used in [[Star]]/[[JailbreakMe]] 2.0. It is a stack overflow in the handling of [[wikipedia:PostScript fonts#Compact Font Format|CFF]] opcodes. Contrary to popular belief, it is '''not''' a problem with the PDF parser, although the malformed font was placed in a PDF for exploitation.
+
The '''Malformed CFF Vulnerability''', along with the [[IOSurface Kernel Exploit]], was used in [[Star]]/[[JailbreakMe]] 2.0. It is a stack overflow in the handling of [[wikipedia:PostScript fonts#Compact Font Format|CFF]] opcodes. Contrary to popular belief, it is '''not''' a vulnerability within the PDF parser, although the malformed font was placed in a PDF for exploitation.
   
 
== Credit ==
 
== Credit ==
[[User:Comex|comex]]
+
* [[User:Comex|comex]]
   
  +
== Exploit ==
  +
diff -u -r freetype-2.4.1/src/cff/cffgload.c freetype-2.4.1_patched/src/cff/cffgload.c
  +
--- freetype-2.4.1/src/cff/cffgload.c 2010-07-15 09:26:45.000000000 -0700
  +
@@ -204,7 +204,7 @@
  +
2, /* hsbw */
  +
0,
  +
0,
  +
- 0,
  +
+ 1,
  +
5, /* seac */
  +
4, /* sbw */
  +
2 /* setcurrentpoint */
  +
@@ -2041,6 +2041,9 @@
  +
if ( Rand >= 0x8000L )
  +
Rand++;
  +
  +
+ if ( args - stack >= CFF_MAX_OPERANDS )
  +
+ goto Stack_Overflow;
  +
+
  +
args[0] = Rand;
  +
seed = FT_MulFix( seed, 0x10000L - seed );
  +
if ( seed == 0 )
  +
@@ -2166,6 +2169,9 @@
  +
case cff_op_dup:
  +
FT_TRACE4(( " dup\n" ));
  +
  +
+ if ( args + 1 - stack >= CFF_MAX_OPERANDS )
  +
+ goto Stack_Overflow;
  +
+
  +
args[1] = args[0];
  +
args += 2;
  +
break;
  +
== Sources ==
  +
*http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1797
 
[[Category:Exploits]]
 
[[Category:Exploits]]

Latest revision as of 20:17, 9 July 2011

The Malformed CFF Vulnerability, along with the IOSurface Kernel Exploit, was used in Star/JailbreakMe 2.0. It is a stack overflow in the handling of CFF opcodes. Contrary to popular belief, it is not a vulnerability within the PDF parser, although the malformed font was placed in a PDF for exploitation.

Credit

Exploit

diff -u -r freetype-2.4.1/src/cff/cffgload.c freetype-2.4.1_patched/src/cff/cffgload.c
--- freetype-2.4.1/src/cff/cffgload.c	2010-07-15 09:26:45.000000000 -0700
@@ -204,7 +204,7 @@
    2, /* hsbw */
    0,
    0,
-    0,
+    1,
    5, /* seac */
    4, /* sbw */
    2  /* setcurrentpoint */
@@ -2041,6 +2041,9 @@
            if ( Rand >= 0x8000L )
              Rand++;

+            if ( args - stack >= CFF_MAX_OPERANDS )
+                goto Stack_Overflow;
+			  
            args[0] = Rand;
            seed    = FT_MulFix( seed, 0x10000L - seed );
            if ( seed == 0 )
@@ -2166,6 +2169,9 @@
        case cff_op_dup:
          FT_TRACE4(( " dup\n" ));

+          if ( args + 1 - stack >= CFF_MAX_OPERANDS )
+            goto Stack_Overflow;
+                
          args[1] = args[0];
          args += 2;
          break;

Sources