Microsoft Windows - Kernel ATMFD.dll OTF Font Processing Pool-Based Buffer Overflow (MS16-026)

ID 1337DAY-ID-25878
Type zdt
Reporter Google Security Research
Modified 2016-03-14T00:00:00


Exploit for windows platform in category dos / poc

We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file:
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arg1: fb6f5000, memory referenced
Arg2: 00000001, value 0 = read operation, 1 = write operation
Arg3: 99053e40, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)
Debugging Details:
Could not read faulting driver name
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 827ae84c
Unable to read MiSystemVaType memory at 8278d780
99053e40 890c82          mov     dword ptr [edx+eax*4],ecx
PROCESS_NAME:  csrss.exe
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER:  from 99054677 to 99053e40
WARNING: Stack unwind information not available. Following frames may be wrong.
b603ecb0 99054677 fb472880 fb6f438c 00000f5c ATMFD+0x33e40
b603ece4 99054776 fb6f4380 00000003 fb6f438c ATMFD+0x34677
b603ed0c 99049fb3 fb472800 fc5b60b8 990663ec ATMFD+0x34776
b603ed30 9904eaf5 fc704c70 990663ec 00000f5c ATMFD+0x29fb3
b603f444 9904f85f fc704c70 9905f028 b603f690 ATMFD+0x2eaf5
b603f500 9904286e fc704c70 9905f028 b603f690 ATMFD+0x2f85f
b603f5ec 99042918 fc704c70 b603f690 b603f714 ATMFD+0x2286e
b603f618 990333d2 fc704c70 9905f028 b603f690 ATMFD+0x22918
b603f77c 990337a9 00000000 b603f89c fb6bcc80 ATMFD+0x133d2
b603f7d0 990240ff 00000000 b603f89c 00000000 ATMFD+0x137a9
b603f824 9918de12 ff7a5010 fb562cf0 00000001 ATMFD+0x40ff
b603f86c 9917687d ff7a5010 fb562cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
b603f8e0 991a1653 ffa6a130 fb588b54 0000004c win32k!xInsertMetricsRFONTOBJ+0x9c
b603f914 991a3735 00000020 b603f9fc b603fb8c win32k!RFONTOBJ::bGetGlyphMetrics+0x131
b603fbb8 991b6856 17010459 00000060 00000040 win32k!GreGetCharABCWidthsW+0x147
b603fc14 8267fa06 17010459 00000040 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
b603fc14 776771b4 17010459 00000040 00000040 nt!KiSystemServicePostCall
02dde7ac 00000000 00000000 00000000 00000000 0x776771b4
The crash always occurs while trying to write outside of a dynamically allocated destination buffer, leading to a pool-based buffer overflow, potentially allowing for remote code execution in the context of the Windows kernel. While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "CFF " table.
The issue reproduces on Windows 7 and 8.1; other platforms were not tested. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation in ATMFD.DLL or another location in kernel space, as caused by the corrupted pool state.
Attached is an archive with the proof-of-concept mutated OTF file, together with the original font used to generate it and a corresponding crash log from Windows 7 32-bit.
Proof of Concept:

# [2018-03-31]  #