|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Malformed CFF Vulnerability"
(links etc.) |
m (Added CVE) |
||
| (7 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
| + | The '''Malformed CFF Vulnerability''', along with the [[IOSurface Kernel Exploit]], was used in [[Star]]/[[JailbreakMe]] 2.0. It is a stack overflow in the handling of [[wikipedia:PostScript fonts#Compact Font Format|CFF]] opcodes. Contrary to popular belief, it is '''not''' a vulnerability within the PDF parser, although the malformed font was placed in a PDF for exploitation. |
||
| − | == Exploit Status: PATCHED == |
||
| + | == Credit == |
||
| − | This is the exploit used in [[User:Comex|Comex]]'s [[JailbreakMe|JailbreakMe 2.0]] [[Star]], the first public jailbreak for the [[K48ap|iPad]] running 3.2 or 3.2.1 and the [[N90ap|iPhone 4]] running 4.0 or 4.0.1. |
||
| + | * [[User:Comex|comex]] |
||
| − | |||
| − | 10 days after the jailbreak/exploit was released, Apple fixed the hole with the iOS 4.0.2 and 3.2.2 software updates. |
||
| + | == Exploit == |
||
| + | diff -u -r freetype-2.4.1/src/cff/cffgload.c freetype-2.4.1_patched/src/cff/cffgload.c |
||
| + | --- freetype-2.4.1/src/cff/cffgload.c 2010-07-15 09:26:45.000000000 -0700 |
||
| + | @@ -204,7 +204,7 @@ |
||
| + | 2, /* hsbw */ |
||
| + | 0, |
||
| + | 0, |
||
| + | - 0, |
||
| + | + 1, |
||
| + | 5, /* seac */ |
||
| + | 4, /* sbw */ |
||
| + | 2 /* setcurrentpoint */ |
||
| + | @@ -2041,6 +2041,9 @@ |
||
| + | if ( Rand >= 0x8000L ) |
||
| + | Rand++; |
||
| + | |||
| + | + if ( args - stack >= CFF_MAX_OPERANDS ) |
||
| + | + goto Stack_Overflow; |
||
| + | + |
||
| + | args[0] = Rand; |
||
| + | seed = FT_MulFix( seed, 0x10000L - seed ); |
||
| + | if ( seed == 0 ) |
||
| + | @@ -2166,6 +2169,9 @@ |
||
| + | case cff_op_dup: |
||
| + | FT_TRACE4(( " dup\n" )); |
||
| + | |||
| + | + if ( args + 1 - stack >= CFF_MAX_OPERANDS ) |
||
| + | + goto Stack_Overflow; |
||
| + | + |
||
| + | args[1] = args[0]; |
||
| + | args += 2; |
||
| + | break; |
||
| + | == Sources == |
||
| + | *http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1797 |
||
[[Category:Exploits]] |
[[Category:Exploits]] |
||
Latest revision as of 20:17, 9 July 2011
The Malformed CFF Vulnerability, along with the IOSurface Kernel Exploit, was used in Star/JailbreakMe 2.0. It is a stack overflow in the handling of CFF opcodes. Contrary to popular belief, it is not a vulnerability within the PDF parser, although the malformed font was placed in a PDF for exploitation.
Credit
Exploit
diff -u -r freetype-2.4.1/src/cff/cffgload.c freetype-2.4.1_patched/src/cff/cffgload.c
--- freetype-2.4.1/src/cff/cffgload.c 2010-07-15 09:26:45.000000000 -0700
@@ -204,7 +204,7 @@
2, /* hsbw */
0,
0,
- 0,
+ 1,
5, /* seac */
4, /* sbw */
2 /* setcurrentpoint */
@@ -2041,6 +2041,9 @@
if ( Rand >= 0x8000L )
Rand++;
+ if ( args - stack >= CFF_MAX_OPERANDS )
+ goto Stack_Overflow;
+
args[0] = Rand;
seed = FT_MulFix( seed, 0x10000L - seed );
if ( seed == 0 )
@@ -2166,6 +2169,9 @@
case cff_op_dup:
FT_TRACE4(( " dup\n" ));
+ if ( args + 1 - stack >= CFF_MAX_OPERANDS )
+ goto Stack_Overflow;
+
args[1] = args[0];
args += 2;
break;
