CVE-2016-0145 : Detail

CVE-2016-0145

8.8
/
High
Overflow
81.42%V3
Network
2016-04-12
21h00 +00:00
2018-10-12
17h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The font library in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold and 1511; Office 2007 SP3 and 2010 SP2; Word Viewer; .NET Framework 3.0 SP2, 3.5, and 3.5.1; Skype for Business 2016; Lync 2010; Lync 2010 Attendee; Lync 2013 SP1; and Live Meeting 2007 Console allows remote attackers to execute arbitrary code via a crafted embedded font, aka "Graphics Memory Corruption Vulnerability."

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metrics Score Severity CVSS Vector Source
V3.0 8.8 HIGH CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Network

A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers).

Attack Complexity

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.

Required

Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.

Base: Scope Metrics

An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges.

Scope

Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports.

Unchanged

An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same.

Base: Impact Metrics

The Impact metrics refer to the properties of the impacted component.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

Environmental Metrics

[email protected]
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 39743

Publication date : 2016-04-27 22h00 +00:00
Author : Google Security Research
EDB Verified : Yes

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=684 We have encountered a Windows kernel crash in the win32k.sys driver while processing a corrupted TTF font file. An example of a crash log excerpt generated after triggering the bug is shown below: --- BAD_POOL_HEADER (19) The pool is already corrupt at the time of the current request. This may or may not be due to the caller. The internal pool links must be walked to figure out a possible cause of the problem, and then special pool applied to the suspect tags or the driver verifier to a suspect driver. Arguments: Arg1: 00000021, the data following the pool block being freed is corrupt. Typically this means the consumer (call stack ) has overrun the block. Arg2: ff66c000, The pool pointer being freed. Arg3: 00001038, The number of bytes allocated for the pool block. Arg4: 00000000, The corrupted value found following the pool block. Debugging Details: ------------------ BUGCHECK_STR: 0x19_21 POOL_ADDRESS: GetPointerFromAddress: unable to read from 8277684c Unable to read MiSystemVaType memory at 82755780 ff66c000 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP PROCESS_NAME: csrss.exe CURRENT_IRQL: 0 ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre LAST_CONTROL_TRANSFER: from 82942f90 to 8272cc6b STACK_TEXT: b5ccb5c0 82942f90 ff66c000 00000000 ff66c000 nt!ExFreePoolWithTag+0x1b1 b5ccb5d4 9916b9e2 ff66c000 00000000 fb834e78 nt!VerifierExFreePoolWithTag+0x30 b5ccb5e8 99159ebf ff66c010 fb82af24 00000001 win32k!EngFreeMem+0x1f b5ccb728 9914eda9 0000002c 0000001c b5ccb818 win32k!lGetGlyphBitmap+0x258 b5ccb750 9914ebf6 00000000 00000001 0000001c win32k!ttfdQueryFontData+0x15e b5ccb7a0 9914de12 ff7a5010 fb82acf0 00000001 win32k!ttfdSemQueryFontData+0x45 b5ccb7e8 991538bd ff7a5010 fb82acf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e b5ccb860 991cc470 b5ccbb3c ff6b0300 ff6ab094 win32k!xInsertMetricsPlusRFONTOBJ+0x120 b5ccb890 99145a6f 0000000a ff7bf050 b5ccbbda win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x179 b5ccb8c8 991cbf6e b5ccbb1c b5ccbb3c 00000008 win32k!ESTROBJ::vCharPos_H3+0xf0 b5ccb90c 991456f2 b5ccbbd0 0000000a b5ccbb1c win32k!ESTROBJ::vInit+0x268 b5ccbb2c 991458b5 00000000 b5ccbbd0 fb82acf0 win32k!GreGetTextExtentExW+0x12a b5ccbc0c 82647a06 2b01027a 006e0bac 0000000a win32k!NtGdiGetTextExtentExW+0x141 b5ccbc0c 76e871b4 2b01027a 006e0bac 0000000a nt!KiSystemServicePostCall WARNING: Frame IP not in any known module. Following frames may be wrong. 0026f2ac 00000000 00000000 00000000 00000000 0x76e871b4 --- The type of the bugcheck implies a pool-based buffer overflow or some other type of pool corruption, potentially allowing for remote code execution in the context of the Windows kernel. While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "EBLC" and "EBSC" tables. The issue reproduces on Windows 7. It is easiest to reproduce with Special Pools enabled for win32k.sys, but it is also possible to observe a crash on a default Windows installation in win32k.sys or another location in kernel space, as caused by the corrupted pool state. Attached is an archive with the proof-of-concept mutated TTF file, together with the original font used to generate it and a corresponding crash log from Windows 7 32-bit. The vendor communication timeline is as follows: 12/22/2015 Vulnerability is reported to Microsoft. 12/22/2015 MSRC acknowledges the receipt of the report. 01/09/2016 MSRC informs us they are unable to reproduce the issue and ask for a crash dump that may help. 01/11/2016 We send MSRC 32-bit and 64-bit crash dumps, together with additional repro information. 01/11/2016 MSRC acknowledges the receipt of the new information. 01/21/2016 MSRC informs us they still cannot reproduce the crash, and the provided crash dumps didn't help. They ask for more detailed information (full crash dump, environment details, POC program etc.) 01/25/2016 Upon further investigation, we realize that the bugcheck only occurs if the [Computer => Properties => Advanced system settings => Advanced => Performance => Settings => Visual Effects => Smooth edges of screen fonts] option is unchecked in system settings, and let MSRC know about this discovery. 01/25/2016 MSRC confirm that the crash now reproduces reliably on their side. Since Microsoft was only able to get a repro of this issue on 01/25/2016 due to the non-standard system settings, we are resetting the 90-day period start date to that day. When the "Smooth edges of screen fonts" option is disabled, the bugcheck also occurs on versions of Windows other than 7 (confirmed with Windows 8.1). By further minimizing the POC sample, it is also possible to trigger the crash by simply opening it in the default "Windows Font Viewer" utility. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39743.zip

Products Mentioned

Configuraton 0

Microsoft>>.net_framework >> Version 3.0

Microsoft>>.net_framework >> Version 3.5

Microsoft>>.net_framework >> Version 3.5.1

Microsoft>>Live_meeting >> Version 2007

Microsoft>>Lync >> Version 2010

Microsoft>>Lync >> Version 2010

Microsoft>>Lync >> Version 2013

Microsoft>>Office >> Version 2007

Microsoft>>Office >> Version 2010

Microsoft>>Skype_for_business >> Version 2016

Microsoft>>Word_viewer >> Version *

Microsoft>>Windows_10 >> Version -

Microsoft>>Windows_10 >> Version 1511

Microsoft>>Windows_7 >> Version -

Microsoft>>Windows_8.1 >> Version *

Microsoft>>Windows_rt_8.1 >> Version -

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version r2

Microsoft>>Windows_server_2012 >> Version -

Microsoft>>Windows_server_2012 >> Version r2

Microsoft>>Windows_vista >> Version *

References

http://www.securitytracker.com/id/1035529
Tags : vdb-entry, x_refsource_SECTRACK
http://www.securitytracker.com/id/1035530
Tags : vdb-entry, x_refsource_SECTRACK
http://www.securitytracker.com/id/1035532
Tags : vdb-entry, x_refsource_SECTRACK
http://www.securitytracker.com/id/1035528
Tags : vdb-entry, x_refsource_SECTRACK
https://www.exploit-db.com/exploits/39743/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securitytracker.com/id/1035531
Tags : vdb-entry, x_refsource_SECTRACK