High Risk Vulnerability in Java Virtual Machine (TTF)

=======
Summary
=======
Name: Memory overwrites in JVM via malformed TrueType font
Release Date: 29 October 2007
Reference: NGS00419
Discover: John Heasman
Vendor: Sun Microsystems
Systems Affected: JDK and JRE 5.0 Update 9 and earlier, SDK and JRE
1.4.2_14 and earlier
Risk: High
Status: Published

========
TimeLine
========
Discovered: 20 September 2006
Released: 20 September 2006
Approved: 20 September 2006
Reported:  1 November 2006
Fixed: 15 August 2007
Published: 29 October 2007

===========
Description
===========
It is possible to cause the Java Virtual Machine to overwrite an arbitrary
memory location with an arbitrary value (repeatedly and in a stable manner)
when parsing a malformed TrueType font.

Impact: By coercing a user to view a malicious web page, an attacker could
instantiate an applet that executes arbitrary native code inside the
browser.

=================
Technical Details
=================
From http://en.wikipedia.org/wiki/TrueType:

“TrueType systems include a virtual machine that executes programs inside
the font, processing the “hints” of the glyphs. These distort the control
points which define the outline, with the intention that the rasterizer
produces fewer undesirable features on the glyph. Each glyph’s hinting
program takes account of the size (in pixels) that the glyph is being
displayed at, as well as other less important factors of the display
environment.

Although incapable of receiving input and producing output as normally
understood in programming, the TrueType hinting language does offer the
other prerequisites of programming languages: conditional branching (IF
statements), looping an arbitrary number of times (FOR- and WHILE-type
statements), variables (although these are simply numbered slots in an
area of memory reserved by the font), and encapsulation of code into
functions. Special instructions called “delta hints” are the lowest level
control, moving a control point at just one pixel size.”

There are two instructions for writing values to the Control Value Table
(CVT) which holds global variables that can be used by multiple glyphs.
One of these functions does not perform sufficient validation on the
supplied index.  This allows a font to write a scaled value relative to
the base of the dynamically allocated CVT.  The scaling factor is based on
the requested size of the font - setting this to 32 results in a factor of
1.

In order to write to an arbitrary location the base of the CVT must first
be determined.  The instruction to read from the CVT was also found not to
validate its index, so this can be used to read memory relative to the CVT
base.  At an offset of -0×38 DWORDs there is a pointer to the end of the
CVT; this can be used to determine the CVT base. The end result is that an
arbitrary value can be written to an arbitrary value repeatedly.  An
attacker can make use of the VM instructions to implement “pre-exploit”
logic that determines the browser, operating system and architecture
before deploying a chosen payload.  This facilitates creation of a
cross-browser, cross-operating system, cross-architecture exploit.

===============
Fix Information
===============
This issue is addressed in the following releases (for Solaris, Linux, and
Windows):

JDK and JRE 5.0 Update 10 or later
SDK and JRE 1.4.2_15 or later

Further information is available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103024-1

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/

+44(0)208 401 0070