The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Malformed CFF Vulnerability"
m (Added CVE) |
|||
(8 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
+ | The '''Malformed CFF Vulnerability''', along with the [[IOSurface Kernel Exploit]], was used in [[Star]]/[[JailbreakMe]] 2.0. It is a stack overflow in the handling of [[wikipedia:PostScript fonts#Compact Font Format|CFF]] opcodes. Contrary to popular belief, it is '''not''' a vulnerability within the PDF parser, although the malformed font was placed in a PDF for exploitation. |
||
− | == Exploit Status: PATCHED == |
||
+ | == Credit == |
||
+ | * [[User:Comex|comex]] |
||
+ | == Exploit == |
||
− | This is the exploit used in Comex's JailbreakMe 2.0 'star', the first public jailbreak for the iPad running 3.2 or 3.2.1 and the iPhone 4 running 4.0 or 4.0.1. |
||
+ | diff -u -r freetype-2.4.1/src/cff/cffgload.c freetype-2.4.1_patched/src/cff/cffgload.c |
||
− | |||
+ | --- freetype-2.4.1/src/cff/cffgload.c 2010-07-15 09:26:45.000000000 -0700 |
||
− | 10 days after the jailbreak/exploit was released, Apple fixed the hole with the iOS 4.0.2 and 3.2.2 software updates. |
||
+ | @@ -204,7 +204,7 @@ |
||
+ | 2, /* hsbw */ |
||
+ | 0, |
||
+ | 0, |
||
+ | - 0, |
||
+ | + 1, |
||
+ | 5, /* seac */ |
||
+ | 4, /* sbw */ |
||
+ | 2 /* setcurrentpoint */ |
||
+ | @@ -2041,6 +2041,9 @@ |
||
+ | if ( Rand >= 0x8000L ) |
||
+ | Rand++; |
||
+ | |||
+ | + if ( args - stack >= CFF_MAX_OPERANDS ) |
||
+ | + goto Stack_Overflow; |
||
+ | + |
||
+ | args[0] = Rand; |
||
+ | seed = FT_MulFix( seed, 0x10000L - seed ); |
||
+ | if ( seed == 0 ) |
||
+ | @@ -2166,6 +2169,9 @@ |
||
+ | case cff_op_dup: |
||
+ | FT_TRACE4(( " dup\n" )); |
||
+ | |||
+ | + if ( args + 1 - stack >= CFF_MAX_OPERANDS ) |
||
+ | + goto Stack_Overflow; |
||
+ | + |
||
+ | args[1] = args[0]; |
||
+ | args += 2; |
||
+ | break; |
||
+ | == Sources == |
||
+ | *http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1797 |
||
+ | [[Category:Exploits]] |
Latest revision as of 20:17, 9 July 2011
The Malformed CFF Vulnerability, along with the IOSurface Kernel Exploit, was used in Star/JailbreakMe 2.0. It is a stack overflow in the handling of CFF opcodes. Contrary to popular belief, it is not a vulnerability within the PDF parser, although the malformed font was placed in a PDF for exploitation.
Credit
Exploit
diff -u -r freetype-2.4.1/src/cff/cffgload.c freetype-2.4.1_patched/src/cff/cffgload.c --- freetype-2.4.1/src/cff/cffgload.c 2010-07-15 09:26:45.000000000 -0700 @@ -204,7 +204,7 @@ 2, /* hsbw */ 0, 0, - 0, + 1, 5, /* seac */ 4, /* sbw */ 2 /* setcurrentpoint */ @@ -2041,6 +2041,9 @@ if ( Rand >= 0x8000L ) Rand++; + if ( args - stack >= CFF_MAX_OPERANDS ) + goto Stack_Overflow; + args[0] = Rand; seed = FT_MulFix( seed, 0x10000L - seed ); if ( seed == 0 ) @@ -2166,6 +2169,9 @@ case cff_op_dup: FT_TRACE4(( " dup\n" )); + if ( args + 1 - stack >= CFF_MAX_OPERANDS ) + goto Stack_Overflow; + args[1] = args[0]; args += 2; break;