Security researchers from Google's zero-day hunters has open sourced a tool called BrokenType at Project Zero to help find font vulnerabilities in Windows. This can help security researchers find security bugs in font display (rasterization) components
Security researchers from Google's zero-day hunters has open sourced a tool called BrokenType at Project Zero to help find font vulnerabilities in Windows. This can help security researchers find security bugs in font display (rasterization) components. BrokenType is a special tool that tracked down nearly 40 font vulnerabilities in Windows between 2015 and 2017. Basically, BrokenType is a fuzzing tool that feeds a software application with large quantities of random data (the process called fuzzing) and analyzes their output for abnormalities - which, in turn, give developers a hint about the presence of possible bugs in their code. BrokenType is the work of Google Project Zero Security Engineer Mateusz Jurczyk, one of the leading experts in font-related security bugs. This tool helps to detect font exploits in Windows. Jurczyk says that BrokenType will help security researchers identify vulnerabilities affecting libraries used for rendering TrueType and OpenType fonts, the two most widespread font formats used today. He also used BrokenType between 2015 and 2017 to find 20 vulnerabilities in the Windows kernel font rasterization library, and another 19 security flaws in Microsoft Uniscribe, a Windows API for controlling the operating system's typography settings. BrokenType consists of three components: TrueType program generator - a Python script for generating random, but valid TrueType programs. This Python script generates random streams of TrueType instructions and embeds them into .ttf files converted to the XML format (.ttx) by font tools. It is useful in identifying complex vulnerabilities in TrueType virtual machines, which are triggered through a series of consecutive non-standard instructions and thus can't be otherwise detected through small modifications in legitimate TrueType programs. TTF/OTF mutator - a semi-"smart" binary font file mutator written in C++. The mutator inserts random binary modifications into many of the supported TrueType and OpenType SFNT tables, using several mutation algorithms and per-table mutation ratios. It preserves the basic structure of the files and fixes up the checksums, in order to pass basic sanity checks and consistently reach the deeper levels of font rasterization code. TTF/OTF font loader for Windows - a utility for loading and comprehensively testing custom fonts in Windows. The loader is designed to temporarily install a specific font in Windows, and test the built-in rasterization code present in the operating system against the (potentially malformed) file. The purpose of the program is to stress-test as much font-handling code as possible and to execute it for all glyphs found in the font file instead of a limited charset such as just the ASCII characters. Because the font rastering libraries in practically every desktop and mobile operating systems are always the sources of critical security vulnerabilities, font related security issues are highly demanded by attackers, as one vulnerability could be able to exploit a multitude of OS versions and platforms. "Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers.” Windows font rendering, in particular, has caused problems in the past, including a critical gap in 2015, which was also used by spyware vendor HackingTeam. Some of the major font-related security issues affecting Windows users are reported in 2013, 2015, 2016, 2017, and even this year, in 2018. In 2013, a spy malware hooked into the Windows kernel through bugs in the TrueType font file parsing engine, and not only breathed new life into the concept of cyber espionage but helped rejuvenate interest in kernel-level vulnerabilities and exploits. On the Windows platform, much of the same code is maintained across versions of the OS. So, the same vulnerability could be exploited across every version of the platform, although the exploit may need to be somewhat adapted to each OS version. In 2015, OpenType Font Driver Vulnerability also known as CVE-2015-2426 was reported. This is a remote code execution vulnerability that exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. An attacker could take complete control of the affected system by just successfully exploiting this vulnerability. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In 2016, another font related security issue was reported. The issue at the core of this problem is the fact that Windows executes all font processing operations in the kernel's ring-0 with the highest level of permissions. A vulnerability in any of the libraries or operations would immediately give an attacker direct access to the whole OS. In 2017, a pair of flaws in the Windows font library were reported. These flaws are also known as Microsoft Graphics Remote Code Execution Vulnerability - CVE-2017-11762 and CVE-2017- 11763, that can allow a web page or document execute malicious code on a vulnerable computer by visiting a website or opening a file with a specially crafted embedded font can cause malware within the font data to run and hijack the PC. And, in 2018, a set of five remote code execution vulnerabilities in the graphics component of Windows and Windows Server (CVE-2018-1010, CVE-2018-1012, CVE-2018-1013, CVE-2018- 1015, CVE-2018-1016) were reported. Each of those vulnerabilities would allow an attacker to own PCs via a specially-crafted font, in some cases by simply putting the font on a web page viewed by the target. For the latest cyber threats and the latest hacking news please follow us on Facebook and Twitter.
You may be interested in reading: Google’s Titan Security Key adds Another Layer of Protection to your Accounts