CVE-2015-2461 : Detail

CVE-2015-2461

A03-Injection
11.1%V3
Network
2015-08-14
22h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability," a different vulnerability than CVE-2015-2458 and CVE-2015-2459.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 37917

Publication date : 2015-08-20 22h00 +00:00
Author : Google Security Research
EDB Verified : Yes

Source: https://code.google.com/p/google-security-research/issues/detail?id=386&can=1 We have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as: --- DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5) Memory was referenced after it was freed. This cannot be protected by try-except. When possible, the guilty driver's name (Unicode string) is printed on the bugcheck screen and saved in KiBugCheckDriver. Arguments: Arg1: fc937cdf, memory referenced Arg2: 00000000, value 0 = read operation, 1 = write operation Arg3: 91d75195, if non-zero, the address which referenced memory. Arg4: 00000000, (reserved) Debugging Details: ------------------ Could not read faulting driver name READ_ADDRESS: GetPointerFromAddress: unable to read from 827a784c Unable to read MiSystemVaType memory at 82786f00 fc937cdf FAULTING_IP: ATMFD+35195 91d75195 803802 cmp byte ptr [eax],2 MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0xD5 PROCESS_NAME: csrss.exe CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from 91d7598d to 91d75195 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 8ba91638 91d7598d 8ba91890 00af0000 8ba91890 ATMFD+0x35195 8ba91730 91d74ee4 8ba91890 00af0000 8ba9174c ATMFD+0x3598d 8ba91834 91d75044 8ba91890 00af0000 8ba91968 ATMFD+0x34ee4 8ba91868 91d4512a 00000000 8ba91890 00af0000 ATMFD+0x35044 8ba91908 91d4718f 00000004 00000001 00000002 ATMFD+0x512a 8ba91988 91d43c8e 00000000 00000000 98435600 ATMFD+0x718f 8ba91a6c 91a67a9a 00000004 fc97efc0 fc95eff8 ATMFD+0x3c8e 8ba91ab4 91a679ec 00000001 fc97efc0 fc95eff8 win32k!PDEVOBJ::LoadFontFile+0x3c 8ba91af4 91a6742d ffa66130 00000019 fc97efc0 win32k!vLoadFontFileView+0x291 8ba91b80 91a5641f 8ba91c58 00000019 00000001 win32k!PUBLIC_PFTOBJ::bLoadFonts+0x209 8ba91bcc 91a57403 8ba91c58 00000019 00000001 win32k!GreAddFontResourceWInternal+0xfb 8ba91d14 8267a896 000d3e78 00000019 00000001 win32k!NtGdiAddFontResourceW+0x142 8ba91d14 779c70f4 000d3e78 00000019 00000001 nt!KiSystemServicePostCall 002efa84 00000000 00000000 00000000 00000000 0x779c70f4 --- The bugcheck is caused by an attempt to read memory from an unmapped address. The specific expression being dereferenced by ATMFD.DLL is "base address of the Name INDEX data + NAME.offset[x] - 1", however no bounds checking is performed over the value of NAME.offset[x] before using it for pointer arithmetic. To our current knowledge, this condition can only lead to an out-of-bounds read, thus limiting the impact of the bug to remote denial of service, or potentially local kernel memory disclosure. However, we have not fully confirmed that the severity of the bug is not in fact more significant due to some further ATMFD logic we are not aware of. The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it should also be possible to observe a crash on a default Windows installation in ATMFD.DLL. Attached is an archive with three proof of concept font files together with corresponding kernel crash logs. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37917.zip
Exploit Database EDB-ID : 42243

Publication date : 2017-06-22 22h00 +00:00
Author : Google Security Research
EDB Verified : Yes

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1213 We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file, see below: --- DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6) N bytes of memory was allocated and more than N bytes are being referenced. This cannot be protected by try-except. When possible, the guilty driver's name (Unicode string) is printed on the bugcheck screen and saved in KiBugCheckDriver. Arguments: Arg1: fb69b01e, memory referenced Arg2: 00000000, value 0 = read operation, 1 = write operation Arg3: 8f635862, if non-zero, the address which referenced memory. Arg4: 00000000, (reserved) Debugging Details: ------------------ [...] FAULTING_IP: ATMFD+35862 8f635862 803802 cmp byte ptr [eax],2 MM_INTERNAL_CODE: 0 CPU_COUNT: 4 CPU_MHZ: da3 CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 3e CPU_STEPPING: 4 CPU_MICROCODE: 6,3e,4,0 (F,M,S,R) SIG: 19'00000000 (cache) 19'00000000 (init) DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0xD6 PROCESS_NAME: csrss.exe CURRENT_IRQL: 2 ANALYSIS_SESSION_HOST: WIN7-32-VM ANALYSIS_SESSION_TIME: 03-21-2017 10:49:20.0375 ANALYSIS_VERSION: 10.0.10586.567 x86fre LAST_CONTROL_TRANSFER: from 8f636088 to 8f635862 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 9625f538 8f636088 9625f790 05f70000 9625f790 ATMFD+0x35862 9625f630 8f6355b1 9625f790 05f70000 9625f64c ATMFD+0x36088 9625f734 8f635711 9625f790 05f70000 9625f868 ATMFD+0x355b1 9625f768 8f6051b0 00000000 9625f790 05f70000 ATMFD+0x35711 9625f808 8f607279 00000004 00000001 00000002 ATMFD+0x51b0 9625f888 8f603d14 00000000 00000000 94bb3200 ATMFD+0x7279 9625f96c 8f6e7b8d 00000004 fbad2fc0 fbadaff8 ATMFD+0x3d14 9625f9b4 8f6e7adf 00000001 fbad2fc0 fbadaff8 win32k!PDEVOBJ::LoadFontFile+0x3c 9625f9f4 8f6e74fc ffa6a130 0000002e fbad2fc0 win32k!vLoadFontFileView+0x291 9625fa80 8f6d6403 9625fb58 0000002e 00000001 win32k!PUBLIC_PFTOBJ::bLoadFonts+0x209 9625facc 8f6d73d8 9625fb58 0000002e 00000001 win32k!GreAddFontResourceWInternal+0xfb 9625fc14 8164ddb6 000d9b78 0000002e 00000001 win32k!NtGdiAddFontResourceW+0x142 9625fc14 77ad6c74 000d9b78 0000002e 00000001 nt!KiSystemServicePostCall --- The bugcheck is caused by an attempt to read memory from an unmapped address. The specific expression being dereferenced by ATMFD.DLL is "base address of the Name INDEX data + NAME.offset[x] - 1", however no bounds checking is performed over the value of NAME.offset[x] before using it for pointer arithmetic. To our current knowledge, this condition can only lead to an out-of-bounds read, thus limiting the impact of the bug to remote denial of service, or potentially local kernel memory disclosure. However, we have not fully confirmed that the severity of the bug is not in fact more significant due to some further ATMFD logic we are not aware of. Interestingly, the crash is almost identical to the one reported in Issue #386 (MSRC-30296) nearly two years ago, which was supposedly fixed as CVE-2015-2461 in the MS15-080 bulletin. The fact that the same bugcheck still reproduces can potentially mean that the patch was insufficient. Only a single bitflip applied to a valid font file is sufficient to create an offending testcase (excluding SFNT table checksums). In our case, the byte at offset 0x375 in the original sample must be changed from 0x01 to 0x41. This corresponds to offset 0x71 of the "CFF " table. The PoC font can be found attached to this tracker entry. The issue reproduces on Windows 7 (other platforms untested). It is easiest to reproduce with Special Pools enabled for ATMFD.DLL, leading to an immediate crash when the bug is triggered. The bugcheck occurs upon opening the font in any default utility such as the Windows Font Viewer -- no special tools are required. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42243.zip

Products Mentioned

Configuraton 0

Microsoft>>Windows_10 >> Version -

Microsoft>>Windows_7 >> Version -

Microsoft>>Windows_8 >> Version -

Microsoft>>Windows_8.1 >> Version -

Microsoft>>Windows_rt >> Version -

Microsoft>>Windows_rt_8.1 >> Version -

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version r2

Microsoft>>Windows_server_2008 >> Version r2

Microsoft>>Windows_server_2012 >> Version -

Microsoft>>Windows_server_2012 >> Version r2

Microsoft>>Windows_vista >> Version -

References

http://www.securitytracker.com/id/1033238
Tags : vdb-entry, x_refsource_SECTRACK
http://www.securityfocus.com/bid/76209
Tags : vdb-entry, x_refsource_BID
https://www.exploit-db.com/exploits/37917/
Tags : exploit, x_refsource_EXPLOIT-DB