Embedded FontApocalypse: MS Никита Тараканов

First of All Я не связан ни с одной АВ компанией У меня не было, нету оригинального семлпа, который используется Duqu Методы тестирования АВ продуктов могут быть некорректными

Небольшой ЛикБез TTF – TrueType – win32k.sys OTF – OpenType – atmfd.dll

Хронология уязвимостей MS – CFF memory Corruption MS – OTF Parsing (2 vulns) MS – OTF Parsing (3 vulns) MS – OTF Encoded Char vuln MS – OTF Parsing

Хронология уязвимостей MS – EOT Parsing MS – TTF Parsing MS – OTF(?) Validation MS – TTF,FON vulns MS – DoS in TTF Interpreter MS – TTF sbit integer vulns

MS11-087(Duqu vuln)

TrueType Bitmap glyphs EBLC – info about indexes(position) of bitmap data EBDT – actual bitmap data EBSC – info about scaling

TrueType Assembler! Over 100 instructions Implemented in kernel(!!!) land Vulns were discovered(MS11-084) Itrp_XXX – example: itrp_PUSHB Instructions in cvt table and fpgm

TrueType Assembler

GetSbitComponent One parameter is TTF interpreter context Integer overflow leads to kernel pool corruption Corrupts TTF interpreter context! This leads to full pwn at r0(!!!) remotely

Lame lame cybercriminals The guys behind Duqu has failed to exploit this vuln on x64 systems! Actually, its real hardcore: you have to implement ROP program in TTF assembler TODO: go pwn x64, crack your brain!

MS attack vectors TTF – good for Vista/2k8/7/8 DOC – Duqu attack vector DOCX – same as DOC, but OOXML IE – drive by download scenario LPE – no comments…

AV/HIPS vs MS TTF vector detection: Avast,avira,bitdefender,bullguard,escan,gdata,k7,kl,lavasoft,rising,trustport,vipre,zonealarm LPE: FAIL, FAIL, FAIL! Even with MPAA info some AV FAILED to detect mine PoC

MS Easter Egg

Kernel Attack Surface Interrrupts Syscalls

Interrupts Exceptions Interrupt transitions NTVDM

Syscalls Ntoskrnl.exe Win32k.sys