CVE-2015-6104 : Détail

CVE-2015-6104

A03-Injection
25.69%V3
Network
2015-11-11
10h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted embedded font, aka "Windows Graphics Memory Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-6103.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 38713

Date de publication : 2015-11-15 23h00 +00:00
Auteur : Google Security Research
EDB Vérifié : Yes

Source: https://code.google.com/p/google-security-research/issues/detail?id=507 We have observed a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files. An example of a crash log excerpt generated after triggering the bug is shown below: --- DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6) N bytes of memory was allocated and more than N bytes are being referenced. This cannot be protected by try-except. When possible, the guilty driver's name (Unicode string) is printed on the bugcheck screen and saved in KiBugCheckDriver. Arguments: Arg1: fffff900c49ab000, memory referenced Arg2: 0000000000000001, value 0 = read operation, 1 = write operation Arg3: fffff96000324c14, if non-zero, the address which referenced memory. Arg4: 0000000000000000, (reserved) [...] FAULTING_IP: win32k!or_all_N_wide_rotated_need_last+70 fffff960`00324c14 410802 or byte ptr [r10],al MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0xD6 CURRENT_IRQL: 0 TRAP_FRAME: fffff88007531690 -- (.trap 0xfffff88007531690) .trap 0xfffff88007531690 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=fffff880075318ff rbx=0000000000000000 rcx=0000000000000007 rdx=00000000000000ff rsi=0000000000000000 rdi=0000000000000000 rip=fffff96000324c14 rsp=fffff88007531820 rbp=fffffffffffffff5 r8=00000000ffffffff r9=fffff900c1b48995 r10=fffff900c49ab000 r11=0000000000000007 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc win32k!or_all_N_wide_rotated_need_last+0x70: fffff960`00324c14 410802 or byte ptr [r10],al ds:0b08:fffff900`c49ab000=?? .trap Resetting default scope LAST_CONTROL_TRANSFER: from fffff8000294a017 to fffff800028cd5c0 STACK_TEXT: fffff880`07531528 fffff800`0294a017 : 00000000`00000050 fffff900`c49ab000 00000000`00000001 fffff880`07531690 : nt!KeBugCheckEx fffff880`07531530 fffff800`028cb6ee : 00000000`00000001 fffff900`c49ab000 fffff900`c4211000 fffff900`c49ab002 : nt! ?? ::FNODOBFM::`string'+0x4174f fffff880`07531690 fffff960`00324c14 : 00000000`0000001f fffff960`000b8f1f fffff900`c4ed2f08 00000000`0000001f : nt!KiPageFault+0x16e fffff880`07531820 fffff960`000b8f1f : fffff900`c4ed2f08 00000000`0000001f 00000000`00000002 00000000`00000007 : win32k!or_all_N_wide_rotated_need_last+0x70 fffff880`07531830 fffff960`000eba0d : 00000000`00000000 fffff880`07532780 00000000`00000000 00000000`0000000a : win32k!draw_nf_ntb_o_to_temp_start+0x10f fffff880`07531890 fffff960`000c5ab8 : 00000000`00000000 fffff900`c49aad60 fffff900`c4ed2ed0 00000000`00ffffff : win32k!vExpandAndCopyText+0x1c5 fffff880`07531c30 fffff960`00874b4b : fffff900`0000000a fffff880`00000002 fffff900`c4484ca0 fffff880`07532368 : win32k!EngTextOut+0xe54 fffff880`07531fc0 fffff900`0000000a : fffff880`00000002 fffff900`c4484ca0 fffff880`07532368 00000000`00000000 : VBoxDisp+0x4b4b fffff880`07531fc8 fffff880`00000002 : fffff900`c4484ca0 fffff880`07532368 00000000`00000000 fffff880`07532110 : 0xfffff900`0000000a fffff880`07531fd0 fffff900`c4484ca0 : fffff880`07532368 00000000`00000000 fffff880`07532110 fffff900`c49b6d58 : 0xfffff880`00000002 fffff880`07531fd8 fffff880`07532368 : 00000000`00000000 fffff880`07532110 fffff900`c49b6d58 fffff900`c49b6de8 : 0xfffff900`c4484ca0 fffff880`07531fe0 00000000`00000000 : fffff880`07532110 fffff900`c49b6d58 fffff900`c49b6de8 fffff900`c49b6c30 : 0xfffff880`07532368 --- While the above is only one example, we have seen the issue manifest itself in a variety of ways: either by crashing while trying to write beyond a pool allocation in the win32k!or_all_4_wide_rotated_need_last, win32k!or_all_N_wide_rotated_need_last, win32k!or_all_N_wide_rotated_no_last or win32k!or_all_N_wide_unrotated functions, or in other locations in the kernel due to system instability caused by pool corruption. In all cases, the crash occurs somewhere below a win32k!EngTextOut function call, i.e. it is triggered while trying to display the glyphs of a malformed TTF on the screen, rather than while loading the font in the system. We believe the condition to be a pool-based buffer overflow triggered by one of the above win32k.sys functions, with a binary -or- operation being performed on bytes outside a pool allocation. This is also confirmed by the fact that various system bugchecks we have observed are a consequence of the kernel trying to dereference addresses with too many bits set, e.g.: --- rax=fffff91fc29b4c60 rbx=0000000000000000 rcx=fffff900c4ede320 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff96000271f6a rsp=fffff880035b8bd0 rbp=fffff880035b9780 r8=000000000000021d r9=fffff900c4edf000 r10=fffff880056253f4 r11=fffff900c4902eb0 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc win32k!PopThreadGuardedObject+0x16: fffff960`00271f6a 4c8918 mov qword ptr [rax],r11 ds:0030:fffff91f`c29b4c60=???????????????? --- While we have not determined the specific root cause of the vulnerability, the proof-of-concept TTF files triggering the bug were created by taking legitimate fonts and replacing the glyph TrueType programs with ones generated by a dedicated generator. Therefore, the problem is almost certainly caused by some part of the arbitrary TrueType programs. The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (typically leading to an immediate crash in one of the aforementioned functions when the overflow takes place), but it is also possible to observe a system crash on a default Windows installation as a consequence of pool corruption and resulting system instability. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which displays all of the font's glyphs at various point sizes. Attached is an archive with several proof-of-concept TTF files, together with corresponding kernel crash logs from Windows 7 64-bit. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38713.zip

Products Mentioned

Configuraton 0

Microsoft>>Windows_10 >> Version -

Microsoft>>Windows_10 >> Version 1511

Microsoft>>Windows_7 >> Version -

Microsoft>>Windows_8 >> Version -

Microsoft>>Windows_8.1 >> Version -

Microsoft>>Windows_rt >> Version -

Microsoft>>Windows_rt_8.1 >> Version -

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version r2

Microsoft>>Windows_server_2008 >> Version r2

Microsoft>>Windows_server_2012 >> Version -

Microsoft>>Windows_server_2012 >> Version r2

Microsoft>>Windows_vista >> Version -

Références

https://www.exploit-db.com/exploits/38713/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securitytracker.com/id/1034114
Tags : vdb-entry, x_refsource_SECTRACK