CVE-2015-6103
Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted embedded font, aka "Windows Graphics Memory Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-6104.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Improper Input Validation The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C | [email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 38714
Publication date : 2015-11-15 23h00 +00:00
Author : Google Security Research
EDB Verified : Yes
Source: https://code.google.com/p/google-security-research/issues/detail?id=506
We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing a specific corrupted TTF font file. The cleanest stack trace we have acquired, which might also indicate where the pool corruption takes place and/or the root cause of the vulnerability, is shown below:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff900c4c31000, memory referenced.
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation.
Arg3: fffff96000156a34, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
[...]
FAULTING_IP:
win32k!memmove+64
fffff960`00156a34 488901 mov qword ptr [rcx],rax
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
CURRENT_IRQL: 0
TRAP_FRAME: fffff880074a0210 -- (.trap 0xfffff880074a0210)
.trap 0xfffff880074a0210
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff47cffffe440 rbx=0000000000000000 rcx=fffff900c4c31000
rdx=000000000141f518 rsi=0000000000000000 rdi=0000000000000000
rip=fffff96000156a34 rsp=fffff880074a03a8 rbp=0000000000000010
r8=0000000000000018 r9=0000000000000001 r10=fffff900c4c211a8
r11=fffff900c4c30ff0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
win32k!memmove+0x64:
fffff960`00156a34 488901 mov qword ptr [rcx],rax ds:a020:fffff900`c4c31000=????????????????
.trap
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800028fa017 to fffff8000287d5c0
STACK_TEXT:
fffff880`074a00a8 fffff800`028fa017 : 00000000`00000050 fffff900`c4c31000 00000000`00000001 fffff880`074a0210 : nt!KeBugCheckEx
fffff880`074a00b0 fffff800`0287b6ee : 00000000`00000001 fffff900`c4c31000 fffff880`074a0400 fffff900`c4c30fd8 : nt! ?? ::FNODOBFM::`string'+0x4174f
fffff880`074a0210 fffff960`00156a34 : fffff960`00252e40 fffff900`c4c30f98 00000000`00000003 fffff900`c48f2eb0 : nt!KiPageFault+0x16e
fffff880`074a03a8 fffff960`00252e40 : fffff900`c4c30f98 00000000`00000003 fffff900`c48f2eb0 fffff960`002525dc : win32k!memmove+0x64
fffff880`074a03b0 fffff960`0031d38e : 00000000`000028a6 fffff900`c4c30fd8 00000000`00000000 fffff900`c4c21008 : win32k!EPATHOBJ::bClone+0x138
fffff880`074a0400 fffff960`000f07bb : fffff880`00002640 fffff900`c576aca0 00000000`00002640 fffff880`00000641 : win32k!RFONTOBJ::bInsertMetricsPlusPath+0x17e
fffff880`074a0540 fffff960`000eccf7 : fffff880`074a2640 fffff880`074a0a68 fffff880`074a0b40 fffff800`00000641 : win32k!xInsertMetricsPlusRFONTOBJ+0xe3
fffff880`074a0610 fffff960`000ec998 : fffff880`074a0b40 fffff880`074a0a68 fffff900`c0480014 00000000`00000179 : win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x1f7
fffff880`074a0690 fffff960`000ec390 : fffff980`00000000 fffff880`074a0830 fffff900`c04a8000 fffff800`00000008 : win32k!ESTROBJ::vCharPos_H3+0x168
fffff880`074a0710 fffff960`000ed841 : 00000000`41800000 00000000`00000000 00000000`0000000a fffff880`074a0830 : win32k!ESTROBJ::vInit+0x350
fffff880`074a07a0 fffff960`000ed4ef : fffff880`074a0ca0 fffff900`c576aca0 ffffd08c`00000020 ffffffff`ffffffff : win32k!GreGetTextExtentExW+0x275
fffff880`074a0a60 fffff800`0287c853 : 00000000`00000000 fffff880`074a0ca0 00000000`00000001 fffff880`00000000 : win32k!NtGdiGetTextExtentExW+0x237
fffff880`074a0bb0 00000000`750a213a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0025e1c8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x750a213a
---
We have also observed a number of other system bugchecks caused by the particular TTF file with various stack traces indicating a pool corruption condition. For example, on Windows 7 32-bit a crash occurs only while deleting the font, under the following call stack:
---
9823bc7c 90d8dec1 fb634cf0 fb60ecf0 00000001 win32k!RFONTOBJ::vDeleteCache+0x56
9823bca8 90d14209 00000000 00000000 00000001 win32k!RFONTOBJ::vDeleteRFONT+0x190
9823bcd0 90d15e00 9823bcf4 fb62ccf0 00000000 win32k!PUBLIC_PFTOBJ::bLoadFonts+0x6fb
9823bd00 90ddf48e 00000008 fbc16ff8 912f8fc8 win32k!PFTOBJ::bUnloadWorkhorse+0x114
9823bd28 8267ea06 13000117 0040fa24 775e71b4 win32k!GreRemoveFontMemResourceEx+0x60
9823bd28 775e71b4 13000117 0040fa24 775e71b4 nt!KiSystemServicePostCall
---
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "OS/2" table.
The issue reproduces on Windows 7 (32 and 64-bit). It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it it also possible to observe a system crash on a default Windows installation as a consequence of pool corruption and resulting system instability. In order to reproduce the problem with the provided sample, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is an archive with the proof-of-concept mutated TTF file, together with the original font used to generate it and a corresponding kernel crash log from Windows 7 64-bit.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38714.zip
Products Mentioned
Configuraton 0
Microsoft>>Windows_10 >> Version -
- Microsoft>>Windows_10 >> Version - (Open CPE detail)
- Microsoft>>Windows_10 >> Version - (Open CPE detail)
- Microsoft>>Windows_10 >> Version - (Open CPE detail)
- Microsoft>>Windows_10 >> Version - (Open CPE detail)
- Microsoft>>Windows_10 >> Version - (Open CPE detail)
Microsoft>>Windows_10 >> Version 1511
- Microsoft>>Windows_10 >> Version 1511 (Open CPE detail)
- Microsoft>>Windows_10 >> Version 1511 (Open CPE detail)
- Microsoft>>Windows_10 >> Version 1511 (Open CPE detail)
Microsoft>>Windows_7 >> Version -
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
- Microsoft>>Windows_7 >> Version - (Open CPE detail)
Microsoft>>Windows_8 >> Version -
- Microsoft>>Windows_8 >> Version - (Open CPE detail)
- Microsoft>>Windows_8 >> Version - (Open CPE detail)
- Microsoft>>Windows_8 >> Version - (Open CPE detail)
- Microsoft>>Windows_8 >> Version - (Open CPE detail)
- Microsoft>>Windows_8 >> Version - (Open CPE detail)
- Microsoft>>Windows_8 >> Version - (Open CPE detail)
- Microsoft>>Windows_8 >> Version - (Open CPE detail)
- Microsoft>>Windows_8 >> Version - (Open CPE detail)
- Microsoft>>Windows_8 >> Version - (Open CPE detail)
- Microsoft>>Windows_8 >> Version - (Open CPE detail)
- Microsoft>>Windows_8 >> Version - (Open CPE detail)
- Microsoft>>Windows_8 >> Version - (Open CPE detail)
- Microsoft>>Windows_8 >> Version - (Open CPE detail)
- Microsoft>>Windows_8 >> Version - (Open CPE detail)
Microsoft>>Windows_8.1 >> Version -
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_8.1 >> Version - (Open CPE detail)
Microsoft>>Windows_rt >> Version -
- Microsoft>>Windows_rt >> Version - (Open CPE detail)
- Microsoft>>Windows_rt >> Version - (Open CPE detail)
Microsoft>>Windows_rt_8.1 >> Version -
- Microsoft>>Windows_rt_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_rt_8.1 >> Version - (Open CPE detail)
- Microsoft>>Windows_rt_8.1 >> Version - (Open CPE detail)
Microsoft>>Windows_server_2008 >> Version -
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version - (Open CPE detail)
Microsoft>>Windows_server_2008 >> Version r2
- Microsoft>>Windows_server_2008 >> Version r2 (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version r2 (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version r2 (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version r2 (Open CPE detail)
Microsoft>>Windows_server_2008 >> Version r2
- Microsoft>>Windows_server_2008 >> Version r2 (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version r2 (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version r2 (Open CPE detail)
- Microsoft>>Windows_server_2008 >> Version r2 (Open CPE detail)
Microsoft>>Windows_server_2012 >> Version -
- Microsoft>>Windows_server_2012 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version - (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version - (Open CPE detail)
Microsoft>>Windows_server_2012 >> Version r2
- Microsoft>>Windows_server_2012 >> Version r2 (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version r2 (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version r2 (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version r2 (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version r2 (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version r2 (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version r2 (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version r2 (Open CPE detail)
- Microsoft>>Windows_server_2012 >> Version r2 (Open CPE detail)
Microsoft>>Windows_vista >> Version -
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
References
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-115
Tags : vendor-advisory, x_refsource_MS
Tags : vendor-advisory, x_refsource_MS
2025©
tesweb SA
