Difference between revisions of "T1 Font Integer Overflow"

From The iPhone Wiki
Jump to: navigation, search
m (Sources)
m (non-breakable dash and grammar fix)
Line 5: Line 5:
   
 
== Description ==
 
== Description ==
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback. decoder->parse_callback address minus default address of that function to get ASLR offset. That's how it bypass ASLR.
+
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback. decoder‑>parse_callback address minus default address of that function to get ASLR offset. That's how it bypasses ASLR.
   
 
This vulnerability was actually addressed by Apple in {{wp|Mac OS X Snow Leopard|Mac OS X v10.6.8}}/[http://support.apple.com/kb/HT4723 Security Update 2011-004], but a fix was never pushed to [[iOS]]. Its CVE identifier is ''CVE-2011-0202''.
 
This vulnerability was actually addressed by Apple in {{wp|Mac OS X Snow Leopard|Mac OS X v10.6.8}}/[http://support.apple.com/kb/HT4723 Security Update 2011-004], but a fix was never pushed to [[iOS]]. Its CVE identifier is ''CVE-2011-0202''.
   
 
==Sources==
 
==Sources==
* Tweets from [https://twitter.com/windknown @windknown]: [https://twitter.com/windknown/status/88170553948651520][https://twitter.com/windknown/status/88171950886760448][https://twitter.com/windknown/status/88172830029651968][https://twitter.com/windknown/status/88173940391940096]
+
* Tweets from [https://twitter.com/windknown @windknown]: [https://twitter.com/windknown/status/88170553948651520][https://twitter.com/windknown/status/88171950886760448][https://twitter.com/windknown/status/88172830029651968]
 
* [http://support.apple.com/kb/HT4723 Apple KB]
 
* [http://support.apple.com/kb/HT4723 Apple KB]
 
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0202
 
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0202

Revision as of 19:00, 12 July 2011

The T1 Font Integer Overflow (A.K.A DejaVu as it is very similar to the Malformed CFF Vulnerability[1]) is a vulnerability used in Saffron.

Credit for Exploitation

Description

When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback. decoder‑>parse_callback address minus default address of that function to get ASLR offset. That's how it bypasses ASLR.

This vulnerability was actually addressed by Apple in Template:Wp/Security Update 2011-004, but a fix was never pushed to iOS. Its CVE identifier is CVE-2011-0202.

Sources