Smashing the Font Scaler Engine in Windows Kernel

Presented at Black Hat USA 2013, July 31, 2013, 5 p.m. (30 minutes)

The Font Scaler Engine is widely used to scale the outline font definition such as TrueType/OpenType font for a glyph to a specific point size and converts the outline into a bitmap at a particular resolution. The revolution of font in computer that is mainly used for stylist purposes had make many users ignored its security issues. In fact, the Font Scaler engine could cause many security impacts especially in Windows kernel mode.

In this talk, the basic structure of the Font Scaler engine will be discussed. This includes the conversion of an outline into a bitmap, the mathematical description of each glyph in an outline font, a set of instruction in each glyph that instruct the Font Scaler Engine to modify the shape of the glyph, and the instruction interpreter etc.

Next, we introduce our smart font fuzzing method for identifying the new vulnerabilities of the Font Scaler engine. The different of dumb fuzzing and vulnerable functions will be explained and we will prove that the dumb fuzzing technique is not a good option for Windows Font Fuzzing.

Lastly, we focus on the attack vector that could be used to launch the attacks remotely and locally. A demonstration of the new TrueType font vulnerabilities and the attack vector on Windows 8 and Windows 7 will be shown.

Presenters:

• Chan Lee Yee - F13 Labs
  Chan Lee Yee (a.k.a lychan25) founded F13 Labs. She has been working in cyber security industry for the last 6 years. Her research majors in the art of packing/unpacking, dynamic execution tracing, kernel thread vulnerability, and exploitation techniques. She has presented her security research in Infiltrate 2013, PacSec 2012, BlackHat Euro 2012, DEFCON16, HackInParis 2012, and numerous other events.
• Ling Chuan Lee - F13 Labs
  Ling Chuan Lee (a.k.a lclee_vx) founded F13 Labs. He has over 10 years of experience in reverse engineering, vulnerability analysis, penetration testing and fuzzing research. lclee_vx has presented his security research in Infiltrate 2013, Black Hat Euro 2012, PacSec 2012, DEFCON16, SYSCAN'10 HangZhou, IEEE MICC2009, IEEE ICACT 2011, CCC SIGINT 2010, Swiss CyberStorm 2011 and numerous other events. His research topics included in-depth reverse engineering, kernel vulnerability analysis, fuzzing and exploitation research.

Links:

• https://www.blackhat.com/us-13/archives.html#Lee1
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - Smashing the Font Scaler Engine in Windows Kernel.mp4
• https://www.youtube.com/watch?v=efgoislKd8Q
• https://media.blackhat.com/us-13/US-13-Chan-Smashing-The-Font-Scaler-Engine-in-Windows-Kernel-Slides.pdf
• https://media.blackhat.com/us-13/US-13-Chan-Smashing-The-Font-Scaler-Engine-in-Windows-Kernel-WP.pdf

Similar Presentations:

• Black Hat Asia 2020 Virtual / Complexity Killed Security
• Black Hat USA 2014 / Understanding TOCTTOU in the Windows Kernel Font Scaler Engine
• REcon 2015 / "One font vulnerability to rule them all": "A story of cross-software ownage, shared codebases and advanced exploitation"