Difference between revisions of "T1 Font Integer Overflow"

From The iPhone Wiki
Jump to: navigation, search
(The exploit name is tentative and lame. Feel free to suggest a better name.)
(Description: Conjugate point correctly)
Line 5: Line 5:
   
 
== Description ==
 
== Description ==
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder->stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top -= arg_cnt" will make top points to data outside of decoder->stack. Actually it points to decoder->parse_callback.
+
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder->stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top -= arg_cnt" will make top point to data outside of decoder->stack. Actually it points to decoder->parse_callback.
   
 
This vulnerability was actually addressed by Apple in Mac OS X v10.6.8/Security Update 2011-004, but a fix was never pushed to iOS. Its CVE identifier is '''CVE-2011-0202'''.
 
This vulnerability was actually addressed by Apple in Mac OS X v10.6.8/Security Update 2011-004, but a fix was never pushed to iOS. Its CVE identifier is '''CVE-2011-0202'''.

Revision as of 03:13, 7 July 2011

The T1 Font Integer Overflow is a vulnerability used in Saffron. It is very similar to the Malformed CFF Vulnerability, hence why comex named its exploitation "DejaVu."[1]

Credit for Exploitation

comex

Description

When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder->stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top -= arg_cnt" will make top point to data outside of decoder->stack. Actually it points to decoder->parse_callback.

This vulnerability was actually addressed by Apple in Mac OS X v10.6.8/Security Update 2011-004, but a fix was never pushed to iOS. Its CVE identifier is CVE-2011-0202.

Sources