CVE-2009-2514
published 2009-11-11CVE-2009-2514: win32k.sys in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not correctly parse font code during construction of a…
PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
47.49%
98.7th percentile
win32k.sys in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not correctly parse font code during construction of a directory-entry table, which allows remote attackers to execute arbitrary code via a crafted Embedded OpenType (EOT) font, aka "Win32k EOT Parsing Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger is a crafted EOT font where the 'cmap' table directory entry has an overflowed offset (0xb0000000) and length field; detect HTTP responses serving .eot files with Content-Type: application/octet-stream containing a 'cmap' table entry with offset >= 0xb0000000. ↗
- →The exploit delivers a malicious EOT font via an HTML page using a CSS @font-face rule; monitor for HTML pages embedding @font-face src URLs pointing to .eot resources served with Content-Type: application/octet-stream from the same host. ↗
- →Crash occurs in win32k!bComputeIDs+0x28 (address bf87c9df on unpatched systems) with a READ_ADDRESS of b0f70072, indicating an out-of-bounds read in the kernel font parsing path; kernel crash dumps showing this faulting IP and bugcheck 0x50 are strong indicators of exploitation. ↗
- ·The Metasploit module is a DoS (BSoD) auxiliary module, not a code-execution exploit; it triggers an integer overflow in win32k.sys that causes a kernel crash (BUGCHECK 0x50) when Internet Explorer renders a page with the malicious embedded font. ↗
- ·The overflow is triggered specifically in the 'cmap' table directory entry; other table entries do not appear to trigger the bug according to the exploit author. ↗
- ·Affected platforms are limited to Microsoft Windows 2000 SP4, XP SP2/SP3, and Server 2003 SP2; the vulnerable image timestamp for win32k.sys is 45f013f6. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)
exploitdb·2009-11-12
CVE-2009-2514 Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)
Microsoft Windows Server 2000 'Microsoft Windows EOT Font Table Directory Integer Overflow',
'Description' => %q{
This module exploits an integer overflow flaw in the Microsoft Windows Embedded
OpenType font parsing code located in win32k.sys. Since the kernel itself parses
embedded web fonts, it is possible to trigger a BSoD from a normal web page when
viewed with Internet Explorer.
},
'License' => MSF_LICENSE,
'Author' => 'hdm',
'Version' => '$Revision: 7470 $',
'References' =>
[
[ 'CVE', '2009-2514' ],
[ 'MSB', 'MS09-065' ],
[ 'OSVDB', '59869']
],
'DisclosureDate' => 'Nov 10 2009'
))
register_options([
OptPath.new('EOTFILE', [ true, "The EOT template to use to generate the trigger", File.join(Msf::Config.install_root, "data", "exploits", "pricedown.eot")]),
], self.class)
end
def run
Metasploit
Microsoft Windows EOT Font Table Directory Integer Overflow
metasploit
Microsoft Windows EOT Font Table Directory Integer Overflow
Microsoft Windows EOT Font Table Directory Integer Overflow
This module exploits an integer overflow flaw in the Microsoft Windows Embedded OpenType font parsing code located in win32k.sys. Since the kernel itself parses embedded web fonts, it is possible to trigger a BSoD from a normal web page when viewed with Internet Explorer.
No writeups or analysis indexed.
http://www.us-cert.gov/cas/techalerts/TA09-314A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-065https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6406http://www.us-cert.gov/cas/techalerts/TA09-314A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-065https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6406
2009-11-11
Published