https://www.exploit-db.com/exploits/19089
Microsoft Windows OpenType Font - File Format Denial of Service
| 漏洞ID | 1063828 | 漏洞类型 | |
| 发布时间 | 2012-06-12 | 更新时间 | 2012-06-12 |
 CVE编号
|
N/A |  CNNVD-ID
|
N/A |
| 漏洞平台 | Windows | CVSS评分 | N/A |
|漏洞来源
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
************************************************************************
OpenType font file format remote (client-side) DoS exploit for Windows
By Oleksiuk Dmytro (aka Cr4sh)
http://twitter.com/d_olex
http://blog.cr4.sh
mailto:cr4sh0@gmail.com
************************************************************************
INFO:
Zero day vulnerability exists in kernel-mode library ATMFD.DLL, that using by OS for working with PostScript-based OpenType font files (.OTF)
Vulnerable versions of Windows/ATMFD.DLL: all, x32 and x64.
Opening malicious .OTF font file, that can be embedded in Microsoft Office document or web-page, causes a BSoD on NT 5.x (Windows XP, Server 2003) and 100% CPU overage on NT 6.x (Vista, 7, Server 2008).
To trigger vulnerability -- double click on CFF_Type-1_0x0d_expl.otf
The point of vulnerability -- invalid decoding of 0x0d byte in the Type 2 Charstring Format Glyph, that drops ATMFD.DLL code into the infinite loop.
"good" glyph representation:
[68]={
95 112 99 65 61 vhcurveto
endchar
}
Malicious glyph representation:
[68]={
95 112 99 65 reserved13
vhcurveto
endchar
}
This vulnerability was found with MsFontsFuzz fuzzer, that can be downloaded on https://github.com/Cr4sh/MsFontsFuzz
More detailed vulnerability analysis can be found at http://blog.cr4.sh/2012/06/0day-windows.html (russian, use Google Translate).
====
POC
====
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/19089.rar检索漏洞
开始时间
结束时间