gdi font fuzzing in windows kernel for fun kernel for fun
play

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling - PowerPoint PPT Presentation

Feb 16, 2023 •123 likes •788 views

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee Ministry of Science, Technology and Innovation Agenda Agenda Introduction TrueType Font (.TTF) TTF Fuzzer Exploit Demonstration MS11

  1. GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee Ministry of Science, Technology and Innovation

  2. Agenda Agenda • Introduction • TrueType Font (.TTF) • TTF Fuzzer • Exploit Demonstration – MS11 ‐ 087 • Microsoft Windows Bitmapped font ( fon) Microsoft Windows Bitmapped font (.fon) • FON Fuzzer (by Byoungyoung Lee) with some modification modification • Exploit Demonstration – MS11 ‐ 077 3/16/2012 2

  3. Introduction Introduction • Two groups of categories are exist: o g oups o catego es a e e st: a. GDI Fonts b. Device Fonts b. Device Fonts • GDI fonts which are based in Windows consists of three types: yp a. raster b. Vector c. TrueType & OpenType Reference: http://msdn microsoft com/en us/library/dd162893(v=vs 85) aspx Reference: http://msdn.microsoft.com/en ‐ us/library/dd162893(v=vs.85).aspx 3/16/2012 3

  4. Introduction… Introduction… • Raster fonts: a glyph is a bitmap that uses to Raster fonts: a glyph is a bitmap that uses to draw a single character in the font • Vector fonts: a glyph is a collection of line • Vector fonts: a glyph is a collection of line endpoints that define the line segments and uses to draw a character in the font uses to draw a character in the font • TrueType & OpenType fonts: a glyph is a collection of line and curve commands as well ll i f li d d ll as a collection of hints 3/16/2012 4

  5. TrueType Fonts (.TTF) TrueType Fonts (.TTF) • TrueType font file contains data, in table TrueType font file contains data, in table format, that compromises an outline font • The outlines of glyphs in TrueType fonts are The outlines of glyphs in TrueType fonts are made of straight line segments and quadratic Bézier curves • The Windows scale these fonts to any size using the hints inside the TTF file. • Hints included in TTF files and are used to correct oversights 3/16/2012 5

  6. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • TTF table is designed to keep the entire glyph TTF table is designed to keep the entire glyph data in various table: a EBDT: Embedded Bitmap Data Table a. EBDT: Embedded Bitmap Data Table b. EBLC: Embedded Bitmap Location Table c. EBSC: Embedded Bitmap Scaling Table EBSC E b dd d Bit S li T bl • The rasterizer uses combination of data from differents to render the glyph data in the font diff t t d th l h d t i th f t R f Reference: TrueType 1.0 Font File, Technical Specification Revision 1.66 August 1995 Microsoft T T 1 0 F Fil T h i l S ifi i R i i 1 66 A 1995 Mi f 3/16/2012 6

  7. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • TrueType embedded bitmaps are also called TrueType embedded bitmaps are also called ‘scaler bitmaps’ or ‘sbits’ • A set of bitmaps for a face at a given size is • A set of bitmaps for a face at a given size is called a strike 3/16/2012 7

  8. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… .TTF Font Structure TTF Font Structure 3/16/2012 8

  9. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • EBDT – Embedded Bitmap Data Table: EBDT Embedded Bitmap Data Table: a. EBDT table stores the glyph bitmap data. b. The ‘EBDT’ table begins with a header b h ‘ ’ bl b i i h h d containing simply the table version number c. The rest of the ‘EBDT’ table is a collection of bitmap data bitmap data 3/16/2012 9

  10. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… EBDT Table Structure EBDT Table Structure 3/16/2012 10

  11. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… EBLC – Embedded Bitmap Location Table: • a. The ‘EBLC’ table identifies the sizes and glyph range of the sbits, and keeps offsets to glyph bitmap data in indexSubTables bit d t i i d S bT bl b. The ‘EBLC’ table begins with a header (eblcHeader) containing the table version and (eblcHeader) containing the table version and number of strikes. c. The eblcHeader is followed by the bitmapSizeTable array(s) d. Each strike is defined by one bitmapSizeTable 3/16/2012 11

  12. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… EBLC Table Structure 3/16/2012 12

  13. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • EBSC – Embedded Bitmap Scaling Table: p g a. The ‘EBSC’ table allows a font to define a bitmap strike as a scaled version of another strike b. The table begins with a header (ebscHeader) containing the table version and number of strikes c. The ebscHeader is followed immediately by the bitmapScaleTable array. The numSizes in the ebscHeader indicates the number of b H d i di t th b f bitmapScaleTables in the array d Each strike is defined by one bitmapScaleTable d. Each strike is defined by one bitmapScaleTable 3/16/2012 13

  14. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… EBSC Table Structure 3/16/2012 14

  15. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Glyph Data (glyf) a This table contains information that a. This table contains information that describes the glyphs in the font b. Table provides instructions for each of the following tasks: ‐ Pushing data onto the interpreter stack ‐ managing the Storage Area managing the Storage Area ‐ managing the Control Value Table ‐ modifying Graphics State settings y g p g ‐ Managing outlines ‐ General purpose instructions 3/16/2012 15

  16. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • TrueType instructions are uniquely specified by th i their opcodes. d GLYFDirectoryEntry ‐ > DataGLYFData[x+1] ‐ > SimpleGLYFData[x] ‐ > instructions • Examples: Pushing data onto the interpreter stack – function[0xB0]: itrp_PUSHB1 p_ – function[0xB8]: itrp_PUSHW1 3/16/2012 16

  17. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Examples: Managing the flow of control ‐ function[0x1C]: itrp_JMPR f ti [0 1C] it JMPR ‐ function[0x1F]: itrp_LSW ‐ function[0x78]: itrp JROT function[0x78]: itrp_JROT • Examples: Managing the stack ‐ function[0x20]: itrp_DUP ‐ function[0x23]: itrp_SWAP • Examples: Managing the Storage Area ‐ function[0x43]: itrp_RS function[0x43]: itrp RS ‐ function[0x42]: itrp_WS 3/16/2012 17

  18. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Examples: Managing the Control Value Table ‐ function[0x44]: itrp_WCVT ‐ function[0x45]: itrp_RCVT • Examples: Managing the Graphics State • Examples: Managing the Graphics State ‐ function[0x4D]: itrp_FLIPON ‐ function[0x4E]: itrp_FLIPOFF • Examples: Arithmetic Functions ‐ function[0x60]: itrp_ADD ‐ function[0x61]: itrp SUB function[0x61]: itrp_SUB Reference: Chapter Appendix B, TrueType 1.0 Font File, Technical Specification Revision 1.66 August 1995 Microsoft 3/16/2012 18

  19. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Important info (1) in exploitation: Important info (1) in exploitation: structure fnt_GlobalGraphicStateType{ stackBase; stackBase; /*the stack area / the stack area store; /*the storage area controlValueTable; /*the control value table …… int8 non90DegreeTransformation /*bit0: 1 if non ‐ 90 degree /*bit 1:1 if x scale not equal y scale …… unit16 cvtCount; } fnt_GlobalGraphicStateType; 3/16/2012 19

  20. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… • Important info (2) in exploitation: p ( ) p ‐ function ‘itrp_InnerExecute’ as the disassembler engine to process Glyph Data and map to correct TrueType instructions TrueType instructions • fnt_GlobalGraphicStateType: +0 : stackBase +0 : stackBase +4: store +8: controlValueTable +8: controlValueTable +90h: non90DegreeTransformation +134h: cvtCount 3/16/2012 20

  21. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… The TrueType Instruction Set 3/16/2012 21

  22. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… itrp_InnerExecute Glyph data in hexadicimal format 3/16/2012 22

  23. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… itrp_InnerExecute Glyph data in hexadicimal format 3/16/2012 23

  24. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… itrp_InnerExecute ;Function[0xB0]: itrp_PUSHB1 ;’00’ is parameter of the instruction Glyph data in hexadicimal format 3/16/2012 24

  25. TrueType Fonts (.TTF)… TrueType Fonts (.TTF)… itrp_PUSHB1 ;ecx: parameter ‘00’ ;esi: pointer structure fnt_GlobalGraphicStateType+0 Glyph data in hexadicimal format 3/16/2012 25

  26. TTF Fuzzer TTF Fuzzer • TTF font fuzzer is created to fuzz the TTF font into different sizes • In GDI, we can create a font by: a. filling in a LOGFONT structure b. calling ‘CreateFontIndirect’ which returns a font handle (HFONT) c. Work with fonts at a lower level through font W k ith f t t l l l th h f t APIs: GetFontData, GetGlyphIndices, ExtTextOut with ETO_GLYPH_INDEX flag _ _ g Reference: http://blogs.msdn.com/b/text/archive/2009/04/15/introducing ‐ the ‐ directwrite ‐ font ‐ system.aspx 3/16/2012 26

  27. TTF Fuzzer TTF Fuzzer • The overall process of the fuzzer: a automating the installation of the crafted a. automating the installation of the crafted font in ‘C:\WINDOWS\Fonts’ folder htr=windll.gdi32.AddFontResourceExA(fileFont, FR_PRIVATE, None) h dll d dd (f l ) b. Register a window class and creating a new window to automate the display of the font window to automate the display of the font text in a range of font size c Remove the fonts in ‘C:\WINDOWS\Fonts’ c. Remove the fonts in C:\WINDOWS\Fonts folder windll.gdi32.RemoveFontResourceExW(fileFont, FR PRIVATE, None) windll.gdi32.RemoveFontResourceExW(fileFont, FR_PRIVATE, None) 3/16/2012 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles

System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles

CSCE Intro to Computer Systems System Programming in Windows System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles Processes, Jobs, Threads Synchronization Kernel Objects Whenever you want to

416 views • 13 slides
Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction Fuzzing the OpenBSD kernel using the syzkaller kernel fuzzer. Heard about first on the BSD Now podcast back in April 2018. Ongoing effort, hence 1/N in

668 views • 15 slides
A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos

A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos

A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos CVE-2013-3660 Conclusion LSE July 18, 2013 Plan A look inside the

1.55k views • 95 slides
Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis Introduction Limited to Windows, and aimed at IA32: Outline of protected mode and the kernel Attack vectors Useful tools Examples

672 views • 36 slides
This Time Font hunt you down in 4 bytes! FROM KERNEL ESCAPE TO SYSTEM CALC @promised_lu

This Time Font hunt you down in 4 bytes! FROM KERNEL ESCAPE TO SYSTEM CALC @promised_lu

This Time Font hunt you down in 4 bytes! FROM KERNEL ESCAPE TO SYSTEM CALC @promised_lu @zer0mem TTF TECHNIQUE what ? data to kernel Pinging TTF bitmap wants to help! Different bit of math instead

735 views • 50 slides
HFL: Hybrid Fuzzing on the Linux Kernel Kyungtae Kim*, Dae R. Jeong, Chung Hwan Kim ,

HFL: Hybrid Fuzzing on the Linux Kernel Kyungtae Kim*, Dae R. Jeong, Chung Hwan Kim ,

HFL: Hybrid Fuzzing on the Linux Kernel Kyungtae Kim*, Dae R. Jeong, Chung Hwan Kim , Yeongjin Jang , Insik Shin, Byoungyoung Lee * * Purdue University, KAIST, NEC Labs America, Oregon State University, Seoul National

214 views • 19 slides
HFL: Hybrid Fuzzing on the Linux Kernel Kyungtae Kim*, Dae R. Jeong, Chung Hwan Kim ,

HFL: Hybrid Fuzzing on the Linux Kernel Kyungtae Kim*, Dae R. Jeong, Chung Hwan Kim ,

HFL: Hybrid Fuzzing on the Linux Kernel Kyungtae Kim*, Dae R. Jeong, Chung Hwan Kim , Yeongjin Jang , Insik Shin, Byoungyoung Lee * * Purdue University, KAIST, NEC Labs America, Oregon State University, Seoul National

771 views • 18 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
1 Kernel methods & optimization One example of a kernel that is frequently used in practice

1 Kernel methods & optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods & optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

240 views • 5 slides
Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh

Razzer: Finding Kernel Race Bugs thro ugh Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

3.64k views • 23 slides
Krace: Data Race Fuzzing for Kernel File Systems Meng Xu , Sanidhya Kashyap, Hanqing Zhao,

Krace: Data Race Fuzzing for Kernel File Systems Meng Xu , Sanidhya Kashyap, Hanqing Zhao,

Introduction Title Krace: Data Race Fuzzing for Kernel File Systems Meng Xu , Sanidhya Kashyap, Hanqing Zhao, Taesoo Kim May 1, 2020 Meng Xu (Georgia Tech) Krace: Data Race Fuzzing for Kernel File Systems 1 May 1, 2020 Introduction Data

847 views • 64 slides
Lock, Stock And Two Smoking Apples - XNU Kernel Security Alex Plaskett (@alexjplaskett) / James

Lock, Stock And Two Smoking Apples - XNU Kernel Security Alex Plaskett (@alexjplaskett) / James

PUBLIC Lock, Stock And Two Smoking Apples - XNU Kernel Security Alex Plaskett (@alexjplaskett) / James Loureiro (@NerdKernel) PUBLIC Agenda System call fuzzing (OSXFuzz) Scaling up Code coverage IOKit and Mach fuzzing

1.04k views • 54 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Overview Preliminaries Kernel ridge regression Kernel -means clustering

476 views • 25 slides
Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many of us need to debug the Linux kernel Proprietary tools like Trace32 and DS-5 are $$$ Open source debuggers like GDB lack kernel

884 views • 40 slides
Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

3/1/20 COMP 790: OS Implementation COMP 790: OS Implementation Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

647 views • 8 slides
D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg

D-Bus in the Kernel LinuxCon 2014, Tokyo, Japan May 2014 D-Bus in the Kernel Who? Greg Kroah-Hartman, David Herrmann, Daniel Mack, Lennart Poettering, Kay Sievers with help from Tejun Heo D-Bus in the Kernel Most newer OS designs started

1.35k views • 111 slides
Administrative Notes February 14, 2017 Feb 17: In the News call #2 For your lab this

Administrative Notes February 14, 2017 Feb 17: In the News call #2 For your lab this

Administrative Notes February 14, 2017 Feb 17: In the News call #2 For your lab this week, please have ready a colourful picture youd like to use (or you can just use the default picture provided) Conversion tables now

578 views • 53 slides
Basic FS Implementation Nima Honarmand Fall 2017 :: CSE 306 A Typical Storage Stack (Linux)

Basic FS Implementation Nima Honarmand Fall 2017 :: CSE 306 A Typical Storage Stack (Linux)

Fall 2017 :: CSE 306 Basic FS Implementation Nima Honarmand Fall 2017 :: CSE 306 A Typical Storage Stack (Linux) User Kernel VFS (Virtual File System) ext4 btrfs fat32 nfs Page Cache Block Device Layer Network IO Scheduler Disk

641 views • 30 slides
Optimization for marking and sweeping Optimization for marking Use a marking stack

Optimization for marking and sweeping Optimization for marking Use a marking stack

Optimization for marking and sweeping Optimization for marking Use a marking stack Iterative marking Minimize stack depth to avoid stack overflow Knuth: treat marking stark circularly Kurokawa: remove items from stack that have

612 views • 16 slides
Bitmap Representation Divide an image into a grid Pick the average color in each cell (pixel)

Bitmap Representation Divide an image into a grid Pick the average color in each cell (pixel)

Bitmap Representation Divide an image into a grid Pick the average color in each cell (pixel) Remember that color 1 Remember Average Pixel Color 2 Wednesday, November 2, 2011 Pixels are very small! 3 428 How Much Memory 1 RGB value

409 views • 4 slides
BF-based chunk availability compression for PPSP-02 Lingli

BF-based chunk availability compression for PPSP-02 Lingli

BF-based chunk availability compression for PPSP-02 Lingli Deng: denglingli@chinamobile.com Jin Peng: pengjin@chinamobile.com Yunfei Zhang: hishigh@gmail.com IETF

362 views • 9 slides
FVD: A High-Performance Virtual Machine Image Format for Cloud Chunqiang (CQ) Tang IBM T.J.

FVD: A High-Performance Virtual Machine Image Format for Cloud Chunqiang (CQ) Tang IBM T.J.

IBM Research FVD: A High-Performance Virtual Machine Image Format for Cloud Chunqiang (CQ) Tang IBM T.J. Watson Research Center ctang@us.ibm.com June 2011 1 IBM Research Virtual Disk Benefits from Copy-on-write, Copy-on-read, and Adaptive

333 views • 9 slides
Mobi obiCeal: Tow owards Secure and nd Practical Plausibly Deni niable Encryption n on Mobi

Mobi obiCeal: Tow owards Secure and nd Practical Plausibly Deni niable Encryption n on Mobi

Mobi obiCeal: Tow owards Secure and nd Practical Plausibly Deni niable Encryption n on Mobi obile Devi vices Bing Chang, Fengwei Zhang, Bo Chen, Yingjiu Li, Wen-Tao Zhu, Yangguang Tian, Zhan Wang and Albert Ching Presented by : Tanzeer

249 views • 22 slides
' $ Bitmap Index Design and Ev aluation Chee-Y ong Chan Univ ersit y of

' $ Bitmap Index Design and Ev aluation Chee-Y ong Chan Univ ersit y of

' $ Bitmap Index Design and Ev aluation Chee-Y ong Chan Univ ersit y of Wisconsin-Madison Y annis Ioannidis Univ ersit y of Wisconsin-Madison Univ ersit y of A thens & % 1 ' $ In tro duction T

740 views • 25 slides

More recommend