F13 Laboratory Profile [info[at]f13-labs.net]
F13 Laboratory provides both defensive and offensive cyber security knowledge and vulnerability research.
Lee Yee Chan [chanleeyee[at]f13-labs.net]
Lee Yee Chan founded F13 Laboratory. She has been working in cyber security industry for the last 6 years. Her research majors in the art of packing/unpacking, dynamic execution tracing, kernel threat vulnerability and exploitation techniques. She has presented her security research in BlackHat USA 2013, Infiltrate 2013, PacSec 2012, BlackHat Euro 2012, HackInParis 2012, DEFCON 16 and numerous other events.
Toan Pham Van [toanpv[at]f13-labs.net]
Toan Pham Van (a.k.a suto) has been working in cyber security for 4 years. His research focus on reverse engineering, automatic malware analysis, vulnerability finding and exploitation. He has published numerous vulnerabilities in Microsoft Windows Internet Explorer, Adobe Shockware Flash and Real Player.
The Font Scaler Engine is widely used to scale the outline font definition such as TrueType/OpenType font for a glyph to a specific point size and converts the outline into a bitmap at a particular resolution. The revolution of font in computer that is mainly used for stylist purposes had make many users ignored its security issues. In fact, the Font Scaler engine could cause many security impacts especially in Windows kernel mode. In this talk, the basic structure of the Font Scaler engine will be discussed. This includes the conversion of an outline into a bitmap, the mathematical description of each glyph in an outline font, a set of instruction in each glyph that instruct the Font Scaler Engine to modify the shape of the glyph, and the instruction interpreter etc. Next, we introduce our smart font fuzzing method for identifying the new vulnerabilities of the Font Scaler engine. The different of dumb fuzzing and vulnerable functions will be explained and we will prove that the dumb fuzzing technique is not a good option for Windows Font Fuzzing. Lastly, we focus on the attack vector that could be used to launch the attacks remotely and locally. A demonstration of the new TrueType font vulnerabilities (CVE-2013-3903, CVE-2013-2558 and CVE-2013-3129) and the attack vector on Windows 8 and Windows 7 will be shown.
This presentation is focused on the use of Microsoft GDI Font as Windows kernel attack vector, based on a special crafted font that leads to a memory overwrites occurred inside a running process specifically in Windows Kernel Driver. The talk cover and explain the details how to conduct the Windows Kernel GDI object fuzzing through Windows default TrueType font format, TrueType font structure and parser, text displayer for crafted font and detail regards important function of installing crafted font, triggering and attacking the vulnerability. This presentation features a live demo of both local and remote Windows Kernel font exploitation and come together the 'small' automated Font Exploitation toolkit for CVE-2013-2558, CVE-2013-3129 vulnerability and show how to create an office exploitable document, which embedded a special crafted font that automate installation of vulnerable font, triggering and attacking the TrueType Font (TTF) parsing engine vulnerability in Windows 7 win32k.sys.
This presentation is focused on the use of TrueType Font and Microsoft Bitmap Font as Windows kernel attack vector, based on a special crafted font size that lead to a memory overwrites occurred inside Windows kernel.The talk features a live demo of both local and remote Windows kernel font exploitation. Detail regards important function of installing vulnerable font, triggering and attacking the vulnerability will be explain and shown. We will also show how to create an office exploitable document, which embedded a special crafted font that potentially used as a remote attack weapon to gain the remote control privilege. This talk also come with our automated font generator exploitation utilities for CVE-2011-3402 which allows for very effective fuzzing testing of all vulnerable TrueType/Microsoft Bitmap font based on different sizes, automatically compile and insert kernel shellcode into font file. The utilities will then convert the crafted font into odttf font format and embedded into office document.
There are different types of font available within Windows and two groups of categories exist: GDI fonts and Device Fonts. This talk will cover the GDI TrueType and GDI Bitmap fonts only on Windows platform. In GDI, one typically to create font is filling in a LOGFONT Structure and then calling CreateFontIndirect which returns a font handle. As expect from the name, a LOGFONT structure is a logical font, if the user draw some text using that font handle, GDI will look for a matching physical font to draw the text. If it doesn't find any match font name, it will use some other font. The resulting outcome is that the font fuzzer is working at the lower level through physical font API's provided by the GDI itself. For instance, API functions GetFontData, GetGlyphIndices and even ExtTextOut when used with the ETO_GLYPH_INDEX flag. Font fuzzer in this talk is aim to trigger the font vulnerabilities published in internet, two vulnerability in Windows Kernel MS11-077 and MS11-087 in handling crafted font will be discussed in this talk.
F13 Laboratory researchers have discovered security vulnerabilities in Microsoft Windows. Details as below:
1. MS13-052 - Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561)
2. MS13-053 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)
3. MS13-054 - Vulnerability in GDI+ Could Allow Remote Code Execution (2848295)
4. MS13-101 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430)