Difference between revisions of "T1 Font Integer Overflow"

From The iPhone Wiki
Jump to: navigation, search
m (Sources: full link (same article))
m
 
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
The '''T1 Font Integer Overflow''' (A.K.A '''DejaVu''' as it is very similar to the [[Malformed CFF Vulnerability]][https://twitter.com/comex/status/88208990789578752]) is a vulnerability used in [[Saffron]].
+
The '''T1 Font Integer Overflow''' (a.k.a '''DejaVu''' as it is very similar to the [[Malformed CFF Vulnerability]][https://twitter.com/comex/status/88208990789578752]) is an exploit used in [[Saffron]].
   
== Credit for Exploitation ==
+
== Credit ==
 
* [[User:comex|comex]]
 
* [[User:comex|comex]]
   
 
== Description ==
 
== Description ==
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback. decoder‑>parse_callback address minus default address of that function to get ASLR offset. That's how it bypasses ASLR.
+
When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder&#8209;>stack, which could be set to <code>0xfea50000</code> by charstring "fb ef". And this will bypass stack checking. Then "top&nbsp;&#8209;=&nbsp;arg_cnt" will make top point to data outside of decoder&#8209;>stack. Actually it points to decoder&#8209;>parse_callback. decoder&#8209;>parse_callback address minus default address of that function to get ASLR offset. That's how it bypasses ASLR.
   
This vulnerability was actually addressed by Apple in {{wp|Mac OS X Snow Leopard|Mac OS X v10.6.8}}/[http://support.apple.com/kb/HT4723 Security Update 2011-004], but a fix was never pushed to [[iOS]]. (Its CVE identifier is ''CVE-2011-0202''.)
+
This vulnerability was actually addressed by Apple in [[wikipedia:Mac OS X Snow Leopard|OS X v10.6.8]] ([http://support.apple.com/kb/HT4723 Security Update 2011-004]), but a fix was never pushed to [[iOS]]. (CVE-2011-0202).
   
 
When Apple released iOS 4.2.9/4.3.4 to patch this vulnerability, it received a different CVE identifier (CVE-2011-0226).
 
When Apple released iOS 4.2.9/4.3.4 to patch this vulnerability, it received a different CVE identifier (CVE-2011-0226).
   
  +
== External Links ==
==Sources==
 
* Tweets from [https://twitter.com/windknown @windknown]: [https://twitter.com/windknown/status/88170553948651520][https://twitter.com/windknown/status/88171950886760448][https://twitter.com/windknown/status/88172830029651968][https://twitter.com/windknown/status/88173940391940096]
+
* Tweets from <span class="plainlinks">@[https://twitter.com/windknown windknown]: [https://twitter.com/windknown/status/88170553948651520 1] [https://twitter.com/windknown/status/88171950886760448 2] [https://twitter.com/windknown/status/88172830029651968 3] [https://twitter.com/windknown/status/88173940391940096 4]</span>
* [http://support.apple.com/kb/HT4723 Apple KB]
+
* [http://support.apple.com/kb/HT4723 KB HT4723]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0202
+
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0202 CVE-2011-0202]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226
+
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0226 CVE-2011-0226]
* http://intrepidusgroup.com/insight/2011/07/reversing-jailbreakme-com-4/
+
* [http://intrepidusgroup.com/insight/2011/07/reversing-jailbreakme-com-4/ Analasis by Intrepid US Group]
* http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit
+
* [http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit Analasis by Sogeti ESEC Labs]
   
 
[[Category:Exploits]]
 
[[Category:Exploits]]

Latest revision as of 00:12, 10 October 2012

The T1 Font Integer Overflow (a.k.a DejaVu as it is very similar to the Malformed CFF Vulnerability[1]) is an exploit used in Saffron.

Credit

Description

When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback. decoder‑>parse_callback address minus default address of that function to get ASLR offset. That's how it bypasses ASLR.

This vulnerability was actually addressed by Apple in OS X v10.6.8 (Security Update 2011-004), but a fix was never pushed to iOS. (CVE-2011-0202).

When Apple released iOS 4.2.9/4.3.4 to patch this vulnerability, it received a different CVE identifier (CVE-2011-0226).

External Links