Die siberas GmbH ein auf Sicherheitsanalysen und Penetrationstests spezialisiertes Beratungsunternehmen, welches Sie herstellerunabhängig und kompetent im Bereich IT-Sicherheit berät.
Microsoft Embedded OpenType (.eot) Font Parsing Heap Overflow Vulnerability
Reference ID: SSA-1021Affected versions: please check the Microsoft advisory for affected OS versions
A critical vulnerability exists in the .eot (Embedded OpenType) parsing code within t2embed.dll. When parsing embedded MTX-compressed (MicroType Express) font files the multiplication of two controlled values can lead to an integer overflow which will result in a heap overflow later on. This heap overflow can be abused to achieve code execution in the process which performs the .eot-parsing (probably IE-only).
The vulnerability specifically exists in the parsing code of the _MTX_TTC_CTF_To_TTF function. In order to reach the vulnerable code the font file needs an embedded ‘hdmx’ tag. The hdmx-header looks as follows:
Datatype | Name | Description |
---|---|---|
USHORT | Version | Table version number |
USHORT | numRecords | Number of device records |
LONG | sizeDeviceRecords | Size of device record |
DeviceRecord | Records[numRecords] | Array of device records |
The problem is an unchecked multiplication of numRecords * sizeDeviceRecords which can lead to an int32 overflow. This will result in the allocation of a small-sized buffer which will be overflown later. The heap overflow can be abused to execute code in the browser context.
References:
Microsoft Security Advisory MS10-076
ZDI-10-198
CVE-2010-1883