All decisions have consequences, but how did MS break OpenType fonts in such a way that it allows creation of an elevated user?

22    20 Jul 2015 20:37 by u/TigrisMorte

WTF? Does it save the font in such a way that it can overwrite memory in near blocks?

the vulnerability, if exploited, could "allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts."

Microsoft issues 14 security fixes in July's Patch Tuesday

Microsoft's monthly release of patches includes security fixes for dozens of vulnerabilities.

Read More

"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the advisory added.

In other words, a previously undisclosed flaw in the way Windows handles certain fonts can allow a hacker to take over an entire machine.

Users running Windows Vista, Windows 7, 8, 8.1 and Windows RT are all affected, including those running Windows Server 2008 and later.

The "critical"-rated software update lands almost a week after its scheduled Patch Tuesday where it typically issues security fixes. Microsoft said it believed the flaw was public but did not have any evidence to suggest it was being actively exploited.

Security researchers from Google's Project Zero and FireEye were credited with finding the flaw.

The patch is available over typical update methods, including Windows Update.

from: http://www.zdnet.com/article/microsoft-releases-emergency-patch-for-critical-windows-flaw/?tag=nl.e589&s_cid=e589&ttag=e589&ftag=TREc64629f

13 comments

18 u/Craftkorb 20 Jul 2015 23:02

Many things run in the Kernel in Windows. I'm really sorry to say this, but honestly, that's beyond bad idea. I'm pretty sure though that the MS guys know it themselves, so no need to say further :>

Some things which run in the Kernel: Many things of the GUI drawing, and some other services not belonging there, like parts of the MS HTTP Server IIS (Optionally). All of these don't belong there. Why were they put there in the first place? Good question. For the IIS potion, it's to increase performance. Sorry windows lovers, but looks like the Windows kernel sucks and is abysmal slow, so slow that to win the speed race against linux boxes and their user-space daemons, they had to build a Kernel module to keep up to speed. This is the reason why every security issue inside IIS is immediately beyond critical. Fun times. For other things, I guess it was decided to put there for faster development. Wild guess. Other than that I don't know, I can't think of any good reason, really.

So, as drawing the GUI (Graphical User Interface) is done in the Kernel, font files are also read there. This means that every issue which leads to a crash immediately leads to a critical security issue (Oh, and it makes the system really unstable). I can't find right away what kind of exact issue this was, so let me just do some guessing what kind of issues there could have been:

  • Buffer overflow: The good old buffer overflow. Meaning, you have a data structure, allocate some kind of buffer to hold data, and then try to memcpy more data into it than it has space. This quickly leads to a crash, which may be mitigated by carefully crafting the data.
  • Missing boundary check: Maybe they didn't do proper boundary checking, so that a index given in the OpenType font was not sanity checked, and thus triggered a write out-of-bounds.
// Example of a buffer overflow:
char buffer[20];
strcpy(buffer, openTypeHeader->something); // BAD: No bounds check! If 'something' contains more than 19 Bytes before hitting a 0x00 Byte, this causes a buffer overflow
// Example of a missing boundary check triggering out of bounds writes
int lookup_table[256]; // Lookup table, mapping from an index to some integer. Replace 'int' with anything you like.
lookup_table[openTypeCharacter->index] = openTypeCharacter->foo; // BAD if index is wider than 8Bits: 'index' may be greater than 256, and thus trigger a out-of-bounds write

To sum it up, I'm pretty sure that the developers over at Microsoft hate themselves that at some point it was decided to put these things into the Kernel. You may have heard of mitigation technologies like ASLR, but these don't help on windows. Why? Take a guess. Got one? Answer is: They're disabled in the Kernel, where we're running. Oh well.

One final note: Never put anything into the Kernel that may be done in user-space. Create a user-space daemon, and carefully give it the needed permissions (And only those!) to do its job.

Drops mic

1 u/Craftkorb 20 Jul 2015 23:05

Oh, I forgot. If you want to have some more fun, google animated cursors on windows. They were .. quite risky. Bonus: Websites in IE could deploy their own custom animated cursors too, elevating that bug from a Local Privilege Escalation to a Remote Privilege Escalation. Again: Don't put that stuff in the Kernel damnit!

0 u/TigrisMorte [OP] 21 Jul 2015 00:00

Well, wow, Um, wow. Thanks for the great explain.

0 u/Juve 21 Jul 2015 02:25

surly windows use kaslr?

0 u/Craftkorb 21 Jul 2015 02:29

Afaik Windows does not. Maybe windows 10 does, as this bug only affects versions prior Windows 10.

4 u/Cuddlefluff 21 Jul 2015 13:16

They're disabled in the Kernel, where we're running.

No it's not, at least not for Windows 8.

Create a user-space daemon, and carefully give it the needed permissions

User-space programs (regular programs) don't have access to hardware resources and a privileged instruction set; they can't call interrupts, they can't register new interrupts, they cannot send or receive via ports, and they cannot change the IRQ priority (among other things). Because that would be a disaster, and it would completely go against the whole principle of kernel rings. Text-rendering on Windows is hardware accelerated, which necessitates a device driver to do it.

Also, check out who actually develops OpenType (it's not Microsoft)

4 u/Craftkorb 21 Jul 2015 14:14

User-space programs (regular programs) don't have access to hardware resources [...]

It's "interesting" that some people try hard to read stuff into everything. See the IIS server. Is it so hard to let a user-space listen on port 80 TCP? No. You can further have Kernel API to delegate specific permissions to e.g. talk to USB devices, to user-space. This also works for other operating systems. It's obvious that you'd have other Kernel API to do these read/write calls. Stuff like IRQs and Interrupts is not something everything needs. Handling interrupts is the primary job of the Kernel after setting up user-space.

Saying "Muh performance" is just ridiculous to put anything into the Kernel, if it has been show by anyone else that by having a efficient Kernel you can do everything from the user-space. Does OpenType need to handle Interrupts? No. Does it need to haggle IRQs? No. What is it doing in the frigging Ring0?! There. Is. No. Excuse.

Text-rendering on Windows is hardware accelerated, which necessitates a device driver to do it.

The act of rendering is the job of a driver. The act of managing is not. Weirdly enough for all over OS's this works great.

Also, check out who actually develops OpenType (it's not Microsoft)

It doesn't matter a lot. MS puts that stuff into its Kernel, so they better proofread it. Else, shit like this happens.

3 u/Cuddlefluff 21 Jul 2015 14:42

I'm not directly disagreeing with you, I just think that your opinion is one-dimensional and some of your opinions are up for discussion.

It's "interesting" that some people try hard to read stuff into everything. See the IIS server. Is it so hard to let a user-space listen on port 80 TCP? No.

You're right, IIS doesn't need to be a device driver, it's done like that purely to get performance enhancements. And if you look at the numbers, IIS outperforms all other web servers that come anywhere near close IIS in terms of functionality and flexibility. Kernel drivers will perform better than user-space programs because kernel-drivers doesn't have this giant police checking every bit and byte in case you do something wrong. It's not because Windows is inherently inefficient, it's because that's the price we pay for stability and security. This is why DOS was so goddamn fast; it just didn't care. Linux kernel drivers also has a performance benefit over user-mode space, which is why stuff that doesn't strictly need to access hardware resources also are put there; like video encoding software (would you trust user-space to compress 1080p video on-the-fly for real-time communication?)

No. Does it need to haggle IRQs? No. What is it doing in the frigging Ring0?! There. Is. No. Excuse.

Technically, it's Ring-1 :P Linux has one kernel ring, Windows has two; one for the OS and one for device drivers. If you ignore performance (which is why they did it), there's no other justifiable reasons for http.sys existence. I still think it's one-sided to consider that kernel drivers only ever should handle hardware, even when there can be other justifications for doing so.

The act of rendering is the job of a driver. The act of managing is not. Weirdly enough for all over OS's this works great.

That's your assumption, it might not have been a result from "managing" at all, we don't know.

2 u/something_went_wrong 21 Jul 2015 03:42

I'm surprised an MS response or fix hasn't been posted yet in /v/programming. So I posted it.

1 u/jamesmillner 21 Jul 2015 16:56

are there any examples of fonts (web fonts) that are dangerous? are there any ways to check which web fonts are being downloaded? any way to stop it happening? can fonts be stored on, say, dafont.com, which could contain these exploits? can dodgy fonts be harmless on some systems but then dangerous on others?

oops, sorry, this looks like too many questions for one comment. :) but I couldn't see any useful info...

1 u/ForgotMyName 21 Jul 2015 21:20

sigh, sadly IE actually allows you to prevent sites from downloading any custom fonts whatsoever. (Specifically because of a bug very similar to this that was encountered a few years back). This is a nightmare for web devs. We have things like icon fonts, so when you don't load the font there are no icons on the whole site. Buttons that are just icons? Blank. Super fun.

1 u/goofybud16 22 Jul 2015 00:06

As far as how it worked: The OpenType font renderer had some security issues allowing a specific font to gain System level access and then use another file as a payload.

This appears to be the person who discovered it. The only fix is to fix the font rendering code.

He used a PDF to exploit and open Calc.exe, but it would be possible to download and execute something off of the web too.

0 u/goofybud16 22 Jul 2015 00:02

Actually, I found a PDF of the exploit in /r/reverseengineering explaining how the person found, created, and tested the exploit.

http://j00ru.vexillium.org/dump/recon2015.pdf