cbcvebase.
CVE-2009-2514
published 2009-11-11

CVE-2009-2514: win32k.sys in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not correctly parse font code during construction of a…

PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
47.49%
98.7th percentile
win32k.sys in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not correctly parse font code during construction of a directory-entry table, which allows remote attackers to execute arbitrary code via a crafted Embedded OpenType (EOT) font, aka "Win32k EOT Parsing Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

pathwin32k.sys
filenamepricedown.eot
pathdata/exploits/pricedown.eot
commandcoff = 0xb0000000; clen = (0xfffffffe - coff + 0xcc)
otherContent-Type: application/octet-stream (EOT font delivery)
  • Trigger is a crafted EOT font where the 'cmap' table directory entry has an overflowed offset (0xb0000000) and length field; detect HTTP responses serving .eot files with Content-Type: application/octet-stream containing a 'cmap' table entry with offset >= 0xb0000000.
  • The exploit delivers a malicious EOT font via an HTML page using a CSS @font-face rule; monitor for HTML pages embedding @font-face src URLs pointing to .eot resources served with Content-Type: application/octet-stream from the same host.
  • Crash occurs in win32k!bComputeIDs+0x28 (address bf87c9df on unpatched systems) with a READ_ADDRESS of b0f70072, indicating an out-of-bounds read in the kernel font parsing path; kernel crash dumps showing this faulting IP and bugcheck 0x50 are strong indicators of exploitation.
  • ·The Metasploit module is a DoS (BSoD) auxiliary module, not a code-execution exploit; it triggers an integer overflow in win32k.sys that causes a kernel crash (BUGCHECK 0x50) when Internet Explorer renders a page with the malicious embedded font.
  • ·The overflow is triggered specifically in the 'cmap' table directory entry; other table entries do not appear to trigger the bug according to the exploit author.
  • ·Affected platforms are limited to Microsoft Windows 2000 SP4, XP SP2/SP3, and Server 2003 SP2; the vulnerable image timestamp for win32k.sys is 45f013f6.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.