1. No category

TrueType Font (TTF) Fuzzing and Vulnerability

TrueType Font (TTF) Fuzzing and Vulnerability Lee Ling Chuan (@lclee_vx) & Chan Lee Yee (@lychan25) Copyright © 2013 F13 Laboratory. All Rights Reserved Who Are We? •  Ling Chuan Lee (@ lclee_vx) -­‐ Founder of F13 Laboratory •  Lee Yee Chan (@lychan25) -­‐ Founder of F13 Laboratory 4/11/2013 2 Agenda • 
• 
• 
• 
• 
IntroducLon Bug HunLng with TrueType Font Fuzzer ARack Vector – Local ARack Vector -­‐ Remote TrueType Font VulnerabiliLes (Proof of Concept) 4/11/2013 3 Introduc?on •  Two groups of categories are exist: a. GDI Fonts b. Device Fonts •  GDI fonts which are based in Windows consists of three types: a. raster b. Vector c. TrueType &OpenType Reference: h*p://msdn.microso3.com/en-­‐us/library/dd162893(v=vs.85).aspx 4/11/2013 4 Introduc?on •  Raster fonts: a bitmap that uses to draw a single character in the font •  Vector fonts: a collecLon of line endpoints that define the line segments and uses to draw a character in the font •  TrueType &OpenType fonts: a collecLon of line and curve commands as well as a collecLon of hints Reference: h*p://msdn.microso3.com/en-­‐us/library/dd162893(v=vs.85).aspx 4/11/2013 5 Introduc?on •  Different types of font are available within Windows OperaLng system, for instance: TrueType font (.`), Bitmap font (.fon), OpenType PostScript font (.ob) and etc •  Font vulnerability represents a significant Windows kernel aRack surface that could lead to remote code execuLon aRacks •  A few of Windows font vulnerability are listed in The Common VulnerabiliLes and Exposures (CVE) database 4/11/2013 6 Introduc?on 4/11/2013 7 Introduc?on CVE-­‐2011-­‐3402 / MS11-­‐087 4/11/2013 8 Introduc?on •  TrueType Font (TTF): –  TTF font file contains data, in table format that comprises an outline font –  The outlines of glyphs in TrueType fonts are made of straight line segments and quadraLc Bézier curves –  The raster device uses combinaLons of data from different tables to render the glyph data in the font file ascent body EM descent Reference: TrueType 1.0 Font File (Technical SpecificaLon Revision 1.66, August 1995) 4/11/2013 9 Introduc?on •  From font file to raster devices: -­‐ First, the outline stored in the font file is scaled to the requested size -­‐ The points that make up the outline in FUnits become device specific pixel coordinates -­‐ The instrucLons associated with glyph are carried out by the interpreter -­‐ The result of carrying out the instrucLons is a grid-­‐fiRed outline for the requested glyph -­‐ The outline scan converted to produce a bitmap that can be rendered on the device Reference: TrueType 1.0 Font File (Technical SpecificaLon Revision 1.66, August 1995) 4/11/2013 10 Introduc?on – FontForge •  Some open source/free TrueType Font hack tools are available on internet •  Fonborge is a full-­‐featured font editor which supports all common font formats, for instance postscript, TrueType, opentype, bitmap fonts etc •  Developed by George Williams •  It is available for several OS and localized into 12 languages. The solware is distributed under the BSD license •  An outline font editor that lets the user create/delete /
edit /convert font file. •  FontForge has a TrueType hinLng bytecode debugger to view the image directly in original size Reference: h*p://fonPorge.org 4/11/2013 11 Introduc?on -­‐ FontForge Fonborge Font Editor 4/11/2013 12 Introduc?on -­‐ FontForge TrueType HinLng Bytecode Debugger Reference: h*p://fonPorge.org/charview.html 4/11/2013 13 Introduc?on – TrueTypeViewer •  The TrueTypeViewer enables you to view TrueType fonts and debug the TrueType instrucLons embedded in the font •  Developed by Rogier Van Dalen •  TrueTypeViewer supports all TrueType/OpenType posiLoning and subsLtuLon lookups. •  It works on Windows OperaLng System (98, ME, XP etc) •  The solware is distributed under the GPL license Reference: h*p://home.kabelfoon.nl/~slam/fonts/truetypeviewer.html 4/11/2013 14 Introduc?on -­‐ TrueTypeViewer TrueTypeViewer Reference: h*p://home.kabelfoon.nl/~slam/fonts/truetypeviewer.html 4/11/2013 15 Introduc?on -­‐ TrueTypeViewer Craled TTF Crash TrueTypeViewer Reference: h*p://home.kabelfoon.nl/~slam/fonts/truetypeviewer.html 4/11/2013 16 Introduc?on – FontTools •  Microsol provides free font tools for building, validaLng, tesLng TrueType and OpenType fonts •  Microsol Font Validator for tesLng TrueType and OpenType fonts •  Font ProperLes Editor add descripLon and license informaLon to the TrueType fonts •  Other tools such as: -­‐ TTFDump is a console tool that dumps the contents of TrueType font file -­‐ SBIT32 is a 32-­‐bit console tool that embeds bitmap data into exisLng TrueType font file Reference: h*p://www.microso3.com/typography/tools/tools.aspx 4/11/2013 17 Introduc?on – TTFDump Reference: h*p://www.microso3.com/typography/tools/tools.aspx 4/11/2013 18 Bug Hun?ng with TrueType Font Fuzzer 4/11/2013 19 TrueType Font Fuzzer •  Fuzzing is a solware tesLng methodology, aims to provide invalid, mutated or malformed inputs of applicaLon in the hope that the applicaLon exhibits some security issue Font Fuzzer Fuzzed Font Display some text 4/11/2013 20 Bug Hun?ng with TrueType Font Fuzzer •  Dumb fuzzing: -­‐ Simple modificaLon of legiLmate data by feeding the targeted applicaLon without awareness of its data structure •  Smart fuzzing: -­‐ Generate inputs that are malformed but mostly compliant with the consideraLon of data structure such as ‘encodings’, ‘checksum’, ‘offset’ and ‘relaLons’ •  Dumb fuzzing is not the good method in TrueType Font Fuzzing 4/11/2013 21 TrueType Font Format •  The 010 Binary Editor parses a variety of file into a hierarchical structure formats using a binary template -­‐ Free 30-­‐day trial !! -­‐ Support mulLple plaborm: Windows, Mac OSX -­‐ Free binary templates (*.bmp, *.zip, *.wav) •  We developed the TrueType (*.`) and OpenType (*.ob) binary template for the internal usage Reference: h*p://www.sweetscape.com/download/download_010editor.html 4/11/2013 22 TrueType Font Format 4/11/2013 23 TrueType Font Format •  A TrueType font file contains data, in table format that comprises an outline font. •  The TrueType font file begins at byte 0 with the Font Offset Table •  Offset Table is divided into 5 subtable: sfnt version : 65536 (0x0001 0000) for version 1.0 numTables searchRange
entrySelector
rangeShi3 : Number of tables : (Maximum power of 2 ≤ numTables)x16 : Log2(Maximum power of 2≤ numTables) : numTables x 16 -­‐ searchRange Reference: TrueType 1.0 Font File Technical SpecificaLon Revision 1.66, August 1995 4/11/2013 24 TrueType Font Format 4/11/2013 25 TrueType Font Format •  The Font Table Directory entries is followed aler the Font Offset Table, begins at byte 12. •  Entries in the Table Directory must be sorted in ascending order by ‘tag’ name •  Font Table Directory Header: tag : 4 byte idenLfier checkSum : Checksum of the table offset
: Beginning offset of the font table entry length
: Length of the table Reference: TrueType 1.0 Font File Technical SpecificaLon Revision 1.66, August 1995 4/11/2013 26 TrueType Font Format 4/11/2013 27 TrueType Font Format •  Required Tables in Font Offset Table: cmap
glyf head
hhea
hmtx
loca maxp
name
post OS/2
4/11/2013 : character to glyph mapping : glyph data : font header : horizontal header : horizontal metrics : index to locaLon : maximum profile : naming table : PostScript informaLon : OS/2 and Windows specific metrics 28 TrueType Font Format •  OpLonal Tables in Font Offset Table: cvt : Control Value Table EBDT
: Embedded bitmap data EBLC
: Embedded bitmap locaLon data EBSC
: Embedded bitmap scaling data fpgm
: font program gasp
: grid-­‐fidng and scan conversion procedure hdmx
: horizontal device metrics kern : kerning LTSH
: Linear threshold table prep : CVT Program PCLT : PCL5 4/11/2013 29 TrueType Font Format •  OpLonal Tables in Font Offset Table: VDMX
vhea
vmtx
: VerLcal Device Metrics table : VerLcal Metrics header : VerLcal Metrics Note: Tags for these tables must be registered with Apple Developer Technical Support Reference: TrueType 1.0 Font File Technical SpecificaLon Revision 1.66, August 1995 4/11/2013 30 Bug Hun?ng with TrueType Font Fuzzer Never ever use dumb fuzzing methodology to these fields: ‘checkSum’, ‘offset’, ‘length’ and ‘Table’ 4/11/2013 31 Bug Hun?ng with TrueType Font Format 1. python code is used to determine the checksum of ‘head’ table def chk(tab): total_data=0 for i in range(0, len(tab), 4): data=unpack(“>I”, tab[i:i+4]) [0] total_data += data final_data=0xFFFFFFFF & total_data return final_data 2. The checksum calcula?on implies 4 byte boundaries for the en?re table, and pad the remaining space with zeros 4/11/2013 32 Bug Hun?ng with TrueType Font Format 3. ‘Offset’ points to the beginning of ‘DataHEAD’ structure 4. ‘Length’ defines the size of ‘DataHEAD’ table 4/11/2013 33 Bug Hun?ng with TrueType Font Format def chk(tab): total_data=0 for i in range(0, len(tab), 4): data=unpack(“>I”, tab[i:i+4]) [0] total_data += data final_data=0xFFFFFFFF & total_data return final_data 4/11/2013 Smart fuzzing fix the checkSum value 34 TrueType Font Fuzzer •  We can fuzz a font by: a. Byte flipping of the enLre TrueType font table (1 byte, 2 bytes, 4 bytes…) b. During fuzzing, every flipping test requires to fix the checksum value c. Filling in a LOGFONT structure d. Calling ‘CreateFontIndirect’ to return a font handle (HFONT) e. Work with fonts at a lower level through font APIs: GetFontData, GetGlyphIndices, ExtTextOut with ETO_GLYPH_INDEX flag 4/11/2013 35 TrueType Font Fuzzer •  Every fuzzed TrueType font will: a. automaLcally install the craled font in ‘C:\WINDOWS\Fonts’ folder htr=windll.gdi32.AddFontResourceExA(fileFont, FR_PRIVATE, None) b. Register a window class and creaLng a new window to automate the font text display in the range of font size c. Remove the fonts in ‘C:\WINDOWS\Fonts’ folder windll.gdi32.RemoveFontResourceExW(fileFont, FR_PRIVATE, None) •  Part of the fuzzer’s source code is shared in github: h*ps://github.com/lingchuanlee/FontFuzzer 4/11/2013 36 TrueType Font Fuzzer •  Create the window class and define LOGFONT structure lf=win32gui.LOGFONT() htr=windll.gdi32.AddFontResourceExA(fileFont, FR_PRIVATE, None) w=mainWindow() hwnd=w.CreateWindow() hdc=windll.user32.GetDC(hwnd) 4/11/2013 37 TrueType Font Fuzzer •  Defined a character map of a TrueType font z=[ chr(0),chr(1),chr(2),chr(3),chr(4), chr(5),chr(6),chr(7),chr(8),chr(9), chr(10),chr(11),chr(12),chr(13),chr(14), chr(15),chr(16),chr(17),chr(18),chr(19), [......] chr(240),chr(241),chr(242),chr(243),chr(244), chr(245),chr(246),chr(247),chr(248),chr(249), chr(250),chr(251),chr(252),chr(253),chr(254),chr(255) ] array_types=c_wchar*256 var1=array_types() for y in range(1, 256, 1): var1[y]=z[y] [……] 4/11/2013 38 TrueType Font Fuzzer •  A range of font size for fontsize in range (1, 100, 1): 4/11/2013 lf.lfHeight=fontsize lf.lfFaceName="Droid" lf.lfWidth=0 lf.lfEscapement=0 lf.lfOrientaLon=0 lf.lfWeight=FW_NORMAL lf.lfItalic=False lf.lfUnderline=False lf.lfStrikeOut=False lf.lfCharSet=DEFAULT_CHARSET lf.lfOutPrecision=OUT_DEFAULT_PRECIS lf.lfClipPrecision=CLIP_DEFAULT_PRECIS lf.lfPitchAndFamily=DEFAULT_PITCH|FF_DONTCARE 39 TrueType Font Fuzzer •  Draws text using the selected font windll.gdi32.ExtTextOutW( hdc, 5, 5, ETO_GLYPH_INDEX, None, var1, len(var1), None) 4/11/2013 40 Demonstra?on 4/11/2013 41 AZack Vector 4/11/2013 42 GDI Font Kernel AZack •  The Graphics Device Interface (GDI) is part of the core OS component. Responsible for graphical object and transmiwng output to devices such as video displays as well as printers •  There are different types of font available on Windows. Two groups of categories: GDI fonts and device fonts •  GDI fonts, based in Windows consists of three types: raster, stroke and true type 4/11/2013 43 Font AZacker Vector •  We idenLfy font vulnerability as one of the likely weak points and accessible via browser (IE, Firefox, Chrome), Microsol Office Documents (*.docx, *.pptx) and other applicaLon Adobe Portable Document format (.pdf) •  Local Windows Kernel Exploit -­‐ copy and execute a craled font on Windows system to raise the aRacker’s privilege as super user •  Remote Windows Kernel Exploit -­‐ included social engineering and requires the target to open the craled Microsol Word (*.docx) or website 4/11/2013 44 Local Font AZack Vector •  The aRacker copy and execute a craled font in Windows system to raise the user privilege as super user 4/11/2013 45 Remote Font AZack Vector •  The font vulnerability could allow remote code execuLon if the vicLm opens the craled web page embedded with TrueType font 4/11/2013 46 Remote Font AZack Vector •  The aRacker can use CSS @font-­‐face property to embed craled TrueType font onto the web page @font-­‐face{ font-­‐family:“Cra3ed Font"; src: url("sample.O") format('truetype'); } body{ font-­‐family:‘CraUed Font'; font-­‐size:30; font-­‐style:normal font-­‐weight=bold font-­‐stretch=0 } </style> </head> <body> &#0; &#1; &#3; &#4; &#5; &#6; [……] </body> 4/11/2013 47 Remote Font AZack Vector •  The font vulnerability could allow remote code execuLon if the vicLm opens the craled Microsol Office Word file(*.docx) 4/11/2013 48 Remote Font AZack Vector •  ODTTF is an embedded font file type used in Microsol Office XML format and Microsol’s XML Paper SpecificaLon Format(XPS) •  Embedded font obfuscaLon prevents end-­‐users from using standard ZIP uLliLes to extract fonts from OpenXPS or Office document files and install them on the systems •  To perform embedded font obfuscaLon, a 128 bit (16 bytes) GUID (Globally Unique IdenLfier) is generated for the font to be obfuscated 4/11/2013 49 Remote Font AZack Vector •  Microsol Office 2007 is adopted an XML-­‐based file format for Excel 2007, Word 2007 and PowerPoint 2007 •  The new file format called Office Open XML Format improve file and data management, data recovery and extend the support with the earlier versions Reference: h*p://msdn.microso3.com/en-­‐us/library/office/aa338205(v=office.12).aspx 4/11/2013 50 Remote Font AZack Vector •  EdiLng components of a document in the XML to force the Office Word use the craled obfuscated TrueType Font (*.od`) •  /~path~/Office Word/word/fontTable.xml, we set the Globally Unique IdenLfier (GUID) value in “w:fontKey” •  Perform an XOR operaLon on the first 32 bytes of the binary data of the font with the generated GUID Key Reference: h*p://office.microso3.com/en-­‐us/overview-­‐RZ010357030.aspx?secLon=1 4/11/2013 51 Remote Font AZack Vector Key[0] Key[15] F8 1E D8 17 36 AD 4C 71 88 D3 E5 A6 2F BA F8 34 fontKey[i] ;i=0,1,2,……15 TrueType Font fontKey = keys.decode("hex") obfFontString = open(•FontFile, 'rb').read() fontString = [ord(x) for x in obfFontString] for i in range(16): fontString[i] = ord(obfFontString[i]) ^ ord(fontKey[15-­‐i]) fontString[i+16] = ord(obfFontString[i+16]) ^ ord(fontKey[15-­‐i]) 4/11/2013 52 Remote Font AZack Vector Key[0] Key[15] F8 1E D8 17 36 AD 4C 71 88 D3 E5 A6 2F BA F8 34 fontKey[i] ;i=0,1,2,……15 TrueType Font fontKey = keys.decode("hex") obfFontString = open(•FontFile, 'rb').read() fontString = [ord(x) for x in obfFontString] for i in range(16): fontString[i] = ord(obfFontString[i]) ^ ord(fontKey[15-­‐i]) fontString[i+16] = ord(obfFontString[i+16]) ^ ord(fontKey[15-­‐i]) 4/11/2013 53 Remote Font AZack Vector •  /~path~/Office Word/word/document.xml, we defined the value of “w:rFonts w:ascii”, “w:hAnsi”, “w:sz w:val”, “w:szCs w:val” This element specifies a font which shall be used to format all characters This element specifies the font size. The element’s val aRribute are expressed as half-­‐point values 4/11/2013 54 Remote Font AZack Vector 4/11/2013 55 TrueType Font Vulnerabili?es (POC) 4/11/2013 56 Local TrueType Font Vulnerability POC#1 •  Milestones: -­‐ 2012-­‐11-­‐15
-­‐ 2012-­‐12-­‐03
-­‐ 2012-­‐12-­‐04
-­‐ 2013-­‐03-­‐12
-­‐ 2013-­‐03-­‐23
advisory 4/11/2013 Vulnerability discovered Vendor noLfied Provided the POC sample to vendor CVE-­‐2013-­‐2558 assigned by MITRE Vendor contacted, some informaLon took out from slides before release in June 2013 57 Local TrueType Font Vulnerability POC#1 4/11/2013 58 Local TrueType Font Vulnerability POC#1 4/11/2013 59 Local TrueType Font Vulnerability POC#1 •  Start blue screen debug with bugcheck code •  The Bug Check 0x50: PAGE_FAULT_IN_NONPAGED_AREA Parameter Descrip?on Value 1 Memory address reference add1 0004 2 0:Read operaLon 1:Write operaLon 1 3 Address that referenced memory 8fab 726d 4 reserved 0 Reference: h*p://msdn.microso3.com/en-­‐us/library/windows/hardware/ff559023(v=vs.85).aspx 4/11/2013 60 Local TrueType Font Vulnerability POC#1 •  Refer to DocumentaLon on Page Fault Handling in x86, the processor stores the address being faulted on in cr2 prior to calling the page fault handler. We use this to reconfirm the data in the bugcheck code •  We can confirm that virtual address add1004 really is invalid by looking at the page table entry (PTE) Reference: h*p:// www.intel.com/content/www/us/en/processors/architectures-­‐solware-­‐
developer-­‐manuals.html 4/11/2013 61 Local TrueType Font Vulnerability POC#1 •  The call stack and trap frame explain the reason of the instrucLon at address 8fab726d aRempt to write the data to the address add10004 that cause the system crash 4/11/2013 62 Local TrueType Font Vulnerability POC#1 •  This is where the logic start to break down. The code wanted to write to add10004, which is a invalid address 4/11/2013 63 Demonstra?on 4/11/2013 64 Remote TrueType Font Vulnerability POC#2 •  Success to embed the craled TrueType font in Office Word (*.docx) and Web Page (HTML) to launch the remote kernel aRack on Windows 8 Pro
4/11/2013 65 Demonstra?on 4/11/2013 66 Thank You! 4/11/2013 67

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz