header-logo
Suggest Exploit
vendor:
ATMFD.DLL
by:
Oleksiuk Dmytro (aka Cr4sh)
7,8
CVSS
HIGH
DoS
20
CWE
Product Name: ATMFD.DLL
Affected Version From: All
Affected Version To: All
Patch Exists: Yes
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2012

OpenType font file format remote (client-side) DoS exploit for Windows

Zero day vulnerability exists in kernel-mode library ATMFD.DLL, that using by OS for working with PostScript-based OpenType font files (.OTF). Opening malicious .OTF font file, that can be embedded in Microsoft Office document or web-page, causes a BSoD on NT 5.x (Windows XP, Server 2003) and 100% CPU overage on NT 6.x (Vista, 7, Server 2008). The point of vulnerability -- invalid decoding of 0x0d byte in the Type 2 Charstring Format Glyph, that drops ATMFD.DLL code into the infinite loop.

Mitigation:

Update ATMFD.DLL to the latest version
Source

Exploit-DB raw data:

************************************************************************

  OpenType font file format remote (client-side) DoS exploit for Windows

  By Oleksiuk Dmytro (aka Cr4sh)
  http://twitter.com/d_olex
  http://blog.cr4.sh
  mailto:cr4sh0@gmail.com
  
************************************************************************

INFO:

Zero day vulnerability exists in kernel-mode library ATMFD.DLL, that using by OS for working with PostScript-based OpenType font files (.OTF)

Vulnerable versions of Windows/ATMFD.DLL: all, x32 and x64.

Opening malicious .OTF font file, that can be embedded in Microsoft Office document or web-page, causes a BSoD on NT 5.x (Windows XP, Server 2003) and 100% CPU overage on NT 6.x (Vista, 7, Server 2008).

To trigger vulnerability -- double click on CFF_Type-1_0x0d_expl.otf

The point of vulnerability -- invalid decoding of 0x0d byte in the Type 2 Charstring Format Glyph, that drops ATMFD.DLL code into the infinite loop.

"good" glyph representation:

  [68]={
    95 112 99 65 61 vhcurveto
    endchar
  }
  
Malicious glyph representation:

  [68]={
    95 112 99 65 reserved13
    vhcurveto
    endchar
  }
  
This vulnerability was found with MsFontsFuzz fuzzer, that can be downloaded on https://github.com/Cr4sh/MsFontsFuzz

More detailed vulnerability analysis can be found at http://blog.cr4.sh/2012/06/0day-windows.html (russian, use Google Translate).

====
POC
====

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19089.rar

Navigation

Suggest Exploit

Services By CQR