Oracle Java Runtime TTF BO (March 9, 2012)
The Java software platform owned by Oracle is a system for developing cross-platform applications. Java is distributed in the form of various tools such as the Java Runtime Environment (JRE) and the Java Development Kit (JDK). The JRE contains the Java Virtual Machine (JVM), libraries and other components whereas the JDK is a toolkit for developers. The common graphics library packages of Java are the Abstract Windowing Toolkit (AWT) and Swing packages.
Java is most commonly seen on the web in the form of the Java Applet. It is an application delivered to a client web browser in the form of Java bytecode. Once downloaded, it is executed by the web browser using a Java Virtual Machine (JVM). Java applets can be used, among other things, to parse various graphics files located on a remote host. One type of a graphics file is the TrueType Font (TTF) format. TrueType is an outline font standard originally developed by Apple Computer, and has been used on multiple platforms. TrueType fonts are scalable which means the glyphs can be displayed at any resolution and any point size. A TrueType Font file consists of tables preceded by a table directory. The table directory consists of records describing each table in the font and has the following format:
Offset Type Description -------- --------- -------------------- 0x0000 uint32 tag 0x0004 uint32 table checksum 0x0008 uint32 table offset 0x000c uint32 table length
The table directory is followed by table data at their respective offsets. The Font Program table holds instructions used to manipulate fonts. These instructions can be used to create functions and instruction definitions. The instructions are used to manage the font at different sizes to ensure that it remains true to the font’s original design. An opcode specifically used to allow older information to work with fonts using later versions of the TrueType interpreter.
A vulnerability exists in Oracle Java due to a heap buffer overflow when processing certain instruction opcodes during TrueType font processing. Internally, a heap buffer is allocated based on a literal value found in the TTF file. This buffer is used to hold the instructions defined by an instruction block. However, the vulnerable code does not check that the actual number of opcodes is the same as defined by the supplied value. If the number of opcodes is larger than the defined count value, then a heap buffer overflow will occur during processing of these opcodes.
Remote attackers could exploit this vulnerability by persuading target users to visit a web site that links to a malicious Java applet. Successful exploitation would cause memory corruption that could potentially allow for arbitrary code execution in the security context of the logged in user.
SonicWALL has released an IPS signature to address this vulnerability. The released signature covers a known exploit. The following signature was released:
- 7469 – Oracle JRE TTF Handling Heap Buffer Overflow
The vulnerability has been assigned the ID CVE-2012-0499 by mitre. The vendor has released an advisory regarding this issue.
