Mar 16, 2012 - FON Fuzzer (by Byoungyoung Lee) with some modification .... window to automate the display of the font window to automate the display .... python script generates NE .fon files only b. fuzzer.py ... gave up without detail testing ...
GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee Ministry of Science, Technology and Innovation
Agenda Introduction TrueType Font (.TTF) TTF Fuzzer Exploit Demonstration – MS11‐087 Microsoft Windows Bitmapped font ( fon) Microsoft Windows Bitmapped font (.fon) FON Fuzzer (by Byoungyoung Lee) with some modification • Exploit Demonstration – MS11‐077 • • • • • •
3/16/2012
2
Introduction • Two groups of categories are exist: o g oups o catego es a e e st: a. GDI Fonts b. Device Fonts b. Device Fonts • GDI fonts which are based in Windows consists of three types: yp a. raster b. Vector c. TrueType & OpenType Reference: http://msdn microsoft com/en us/library/dd162893(v=vs 85) aspx Reference: http://msdn.microsoft.com/en‐us/library/dd162893(v=vs.85).aspx
3/16/2012
3
Introduction… • Raster Raster fonts: a glyph is a bitmap that uses to fonts: a glyph is a bitmap that uses to draw a single character in the font • Vector fonts: a glyph is a collection of line Vector fonts: a glyph is a collection of line endpoints that define the line segments and uses to draw a character in the font uses to draw a character in the font • TrueType & OpenType fonts: a glyph is a collection of line and curve commands as well ll i f li d d ll as a collection of hints 3/16/2012
4
TrueType Fonts (.TTF) TrueType Fonts (.TTF) • TrueType TrueType font file contains data, in table font file contains data, in table format, that compromises an outline font • The outlines of glyphs in TrueType fonts are The outlines of glyphs in TrueType fonts are made of straight line segments and quadratic Bézier curves • The Windows scale these fonts to any size using the hints inside the TTF file. • Hints included in TTF files and are used to correct oversights 3/16/2012
5
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • TTF TTF table is designed to keep the entire glyph table is designed to keep the entire glyph data in various table: a EBDT: Embedded Bitmap Data Table a. EBDT: Embedded Bitmap Data Table b. EBLC: Embedded Bitmap Location Table c. EBSC: Embedded Bitmap Scaling Table EBSC E b dd d Bit S li T bl • The rasterizer uses combination of data from diff differents to render the glyph data in the font t t d th l h d t i th f t R f Reference: TrueType 1.0 Font File, Technical Specification Revision 1.66 August 1995 Microsoft T T 10F Fil T h i l S ifi i R i i 1 66 A 1995 Mi f 3/16/2012
6
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • TrueType TrueType embedded bitmaps are also called embedded bitmaps are also called ‘scaler bitmaps’ or ‘sbits’ • A set of bitmaps for a face at a given size is A set of bitmaps for a face at a given size is called a strike
3/16/2012
7
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)…
.TTF Font Structure TTF Font Structure 3/16/2012
8
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • EBDT EBDT – Embedded Bitmap Data Table: Embedded Bitmap Data Table: a. EBDT table stores the glyph bitmap data. b h ‘ b. The ‘EBDT’ table begins with a header ’ bl b i ih h d containing simply the table version number c. The rest of the ‘EBDT’ table is a collection of bitmap data bitmap data
TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • EBLC – Embedded Bitmap Location Table: a. The ‘EBLC’ table identifies the sizes and glyph range of the sbits, and keeps offsets to glyph bit bitmap data in indexSubTables d t i i d S bT bl b. The ‘EBLC’ table begins with a header (eblcHeader) containing the table version and (eblcHeader) containing the table version and number of strikes. c. The eblcHeader is followed by the bitmapSizeTable array(s) d. Each strike is defined by one b
... taken from Wikipedia: https://commons.wikimedia.org/wiki/File:Tux_ecb.jpg .... might be five implementations of AES: the on-core implementations AES-CE,.
Mar 8, 2013 - Jun 2012: BlackHole developer begins to test this exploit. ... The exploit contains kernel mode shellcode, which .... Just Go Read Apple's.
Mar 8, 2013 - within Adobe Systems, Type 1 BuildChar was designed with the expectation that only error- free Type 1 font programs would be presented to it.
As competition in the video service industry continues to increase, cable operators ... both MPEG-2 and MPEG-4 AVC services. ... DCH legacy software API set.
Jan 16, 2013 - Kernel mode application .... algorithm provider, desired algorithm ID input, an optional specific ... The thread ID of the currently running thread ... List Read with Wait Miss, Cache manager Read Ahead IOs, Cache manager.
Jan 16, 2013 - Microsoft Windows 7 requires authentication from the trusted control ..... The BCryptSignHash() function creates a signature of a hash value.
Jul 2, 2004 - the following to express the idea that text should be drawn using a ... The PostScript device also defines some mappings for the standard Adobe fonts; ... in which case the graphics engine takes care of the text drawing itself. In.
The SMCD3G is a powerful and flexible DOCSIS 3.0 gateway providing high-speed Internet access for commercial services ... Advance Business Class Features.
Msg => Message, the event that has occurred, this could be that window has .... //The length of the menu item text - in the case 1 for just a single NULL byte.
In this paper I detail how to easily exploit some kind of windows kernel vulnerabilities. This is about 3 ..... Load and unload device drivers: allow us to load drivers.
cess of repeatedly feeding modified inputs to a program in order to uncover security bugs (such as buffer ... an organization that needs software security will find itself continuously testing. New releases of software ... Microsoft, the Security Dev
