CVE-2010-1797
published 2010-08-16CVE-2010-1797: Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType…
PriorityP277critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
30.65%
98.0th percentile
Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType before 2.4.2, as used in Apple iOS before 4.0.2 on the iPhone and iPod touch and before 3.2.2 on the iPad, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted CFF opcodes in embedded fonts in a PDF document, as demonstrated by JailbreakMe. NOTE: some of these details are obtained from third party information.
Affected
64 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
| apple | iphone_os | — | — |
Detection & IOCsextracted from sources · hover to see the quote
hash68 10 f5 00 00 31 f6 64 8b 76 30 8b 76 0c 8b 76 1c 8b 6e 08 8b 36 8b 5d 3c 8b 5c 1d 78 01 eb 8b 4b 18 67 e3 ec 8b 7b 20 01 ef 8b 7c 8f fc 01 ef 31 c0 99 32 17 66 c1 ca 01 ae 75 f7 58 66 3b d0 50 e0 e2 75 cc 8b 53 24 01 ea 0f b7 14 4a 8b 7b 1c 01 ef 03 2c 97 66 3d 10 f5 75 0e 33 c0 50 68 2e 65 78 65 68 63 61 6c 63 54 ff d5 68 06 cb 00 00 eb 92↗
bytes↗
\x01\x00\x04\x01\x00\x01\x01\x01\x13ABCDEF+Times-Roman
bytes↗
\x0c\x17\x0c\x17\x0c\x04\x0c\x1d
bytes↗
\x0c\x17\x0c\x1d
bytes↗
\x0c\x1d\x0c\x12
bytes↗
\xff\x90\x90\x8a\xeb
- →Detect crafted PDF files embedding malicious CFF fonts by scanning for the exploit's characteristic CFF opcode sequences (\x0c\x17, \x0c\x1d, \x0c\x04, \x0c\x12) repeated in high density within a PDF stream. ↗
- →The exploit payload targets the cff_decoder_parse_charstrings function in FreeType; monitor for FreeType versions prior to 2.4.2 processing PDF documents with embedded CFF fonts. ↗
- →The PoC exploit generates a file named 'foxit_type2_poc.pdf'; alert on this filename appearing in download or temp directories. ↗
- →The exploit uses FF-encoded shellcode bytes where every 5-byte group starts with \xff; scan decompressed CFF streams for runs of \xff-prefixed 5-byte groups as a heuristic for encoded shellcode. ↗
- →The iOS jailbreak exploit archive (ios_pdf_exploit.7z) originates from userland and grants root access; treat receipt of this archive as a high-severity indicator. ↗
- ·The PoC targets specific Foxit Reader versions; the two hardcoded ROP gadget addresses (POP_POP_RET) are version-specific and will not apply universally. ↗
- ·The vulnerability affects Apple iOS before 4.0.2 (iPhone/iPod touch) and before 3.2.2 (iPad); detections scoped to iOS should account for these version boundaries. ↗
- ·CVE-2010-3311 is a distinct FreeType vulnerability (integer overflow in ftstream.c) and should not be conflated with CVE-2010-1797 detections. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vulncheck9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mph3-mc9x-x334: Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload
ghsa_unreviewed·2022-05-13
CVE-2010-1797 [HIGH] CWE-119 GHSA-mph3-mc9x-x334: Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload
Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType before 2.4.2, as used in Apple iOS before 4.0.2 on the iPhone and iPod touch and before 3.2.2 on the iPad, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted CFF opcodes in embedded fonts in a PDF document, as demonstrated by JailbreakMe. NOTE: some of these details are obtained from third party information.
GHSA
GHSA-74p3-w59x-4m9w: Integer overflow in base/ftstream
ghsa_unreviewed·2022-05-13·CVSS 9.3
CVE-2010-3311 [CRITICAL] GHSA-74p3-w59x-4m9w: Integer overflow in base/ftstream
Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an "input stream position error" issue, a different vulnerability than CVE-2010-1797.
OSV
CVE-2010-3311: Integer overflow in base/ftstream
osv·2011-01-07·CVSS 9.3
CVE-2010-3311 [CRITICAL] CVE-2010-3311: Integer overflow in base/ftstream
Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an "input stream position error" issue, a different vulnerability than CVE-2010-1797.
OSV
CVE-2010-1797: Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload
osv·2010-08-16·CVSS 9.3
CVE-2010-1797 [CRITICAL] CVE-2010-1797: Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload
Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType before 2.4.2, as used in Apple iOS before 4.0.2 on the iPhone and iPod touch and before 3.2.2 on the iPad, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted CFF opcodes in embedded fonts in a PDF document, as demonstrated by JailbreakMe. NOTE: some of these details are obtained from third party information.
VulnCheck
Apple iphone_os Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2010·CVSS 9.3
CVE-2010-1797 [CRITICAL] Apple iphone_os Improper Restriction of Operations within the Bounds of a Memory Buffer
Apple iphone_os Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType before 2.4.2, as used in Apple iOS before 4.0.2 on the iPhone and iPod touch and before 3.2.2 on the iPad, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted CFF opcodes in embedded fonts in a PDF document, as demonstrated by JailbreakMe. NOTE: some of these details are obtained from third party information.
Affected: Apple iphone_os
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Ex
Red Hat
freetype: Input stream position error by processing Compact Font Format (CFF) font files
vendor_redhat·2010-09-30·CVSS 9.3
CVE-2010-3311 [CRITICAL] CWE-190 freetype: Input stream position error by processing Compact Font Format (CFF) font files
freetype: Input stream position error by processing Compact Font Format (CFF) font files
Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an "input stream position error" issue, a different vulnerability than CVE-2010-1797.
Ubuntu
FreeType vulnerabilities
vendor_ubuntu·2010-08-17
CVE-2010-1797 FreeType vulnerabilities
Title: FreeType vulnerabilities
It was discovered that FreeType did not correctly handle certain malformed
font files. If a user were tricked into using a specially crafted font
file, a remote attacker could cause FreeType to crash or possibly execute
arbitrary code with user privileges.
Instructions: After a standard system update you need to restart your session to make
all the necessary changes.
Red Hat
FreeType: Multiple stack overflows by processing CFF opcodes
vendor_redhat·2010-08-05·CVSS 9.3
CVE-2010-1797 [CRITICAL] FreeType: Multiple stack overflows by processing CFF opcodes
FreeType: Multiple stack overflows by processing CFF opcodes
Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType before 2.4.2, as used in Apple iOS before 4.0.2 on the iPhone and iPod touch and before 3.2.2 on the iPad, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted CFF opcodes in embedded fonts in a PDF document, as demonstrated by JailbreakMe. NOTE: some of these details are obtained from third party information.
Package: freetype (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2010-1797: freetype - Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings funct...
vendor_debian·2010·CVSS 9.3
CVE-2010-1797 [CRITICAL] CVE-2010-1797: freetype - Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings funct...
Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType before 2.4.2, as used in Apple iOS before 4.0.2 on the iPhone and iPod touch and before 3.2.2 on the iPad, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted CFF opcodes in embedded fonts in a PDF document, as demonstrated by JailbreakMe. NOTE: some of these details are obtained from third party information.
Scope: local
bookworm: resolved (fixed in 2.4.2-1)
bullseye: resolved (fixed in 2.4.2-1)
forky: resolved (fixed in 2.4.2-1)
sid: resolved (fixed in 2.4.2-1)
trixie: resolved (fixed in 2.4.2-1)
Debian
CVE-2010-3311: freetype - Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in Fr...
vendor_debian·2010·CVSS 9.3
CVE-2010-3311 [CRITICAL] CVE-2010-3311: freetype - Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in Fr...
Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an "input stream position error" issue, a different vulnerability than CVE-2010-1797.
Scope: local
bookworm: resolved (fixed in 2.4.0-1)
bullseye: resolved (fixed in 2.4.0-1)
forky: resolved (fixed in 2.4.0-1)
sid: resolved (fixed in 2.4.0-1)
trixie: resolved (fixed in 2.4.0-1)
No detection rules found.
Exploit-DB
Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow 'Jailbreak'
exploitdb·2010-08-24·CVSS 9.3
CVE-2010-1797 [CRITICAL] Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow 'Jailbreak'
Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow 'Jailbreak'
---
import sys,zlib
def getFFShellcode(sc):
ff_sc = ''
if len(sc)%4 != 0:
sc += (4-len(sc)%4)*'\x00'
for i in range(0,len(sc),4):
ff_sc += '\xff'+sc[i+3]+sc[i+2]+sc[i+1]+sc[i]
return ff_sc
outputHeader = '''
##############################################################################################
# FreeType Compact Font Format (CFF) Multiple Stack Based Buffer Overflow (CVE-2010-1797) #
##############################################################################################
# #
# Product: Foxit Reader #
# Web: http://eternal-todo.com #
# Date: 2010-08-23 #
# #
##############################################################################################
'''
outputFileName = 'foxit_type2_poc.pdf'
usage
Exploit-DB
Apple iOS - '.pdf' Local Privilege Escalation 'Jailbreak'
exploitdb·2010-08-03
CVE-2010-2973 Apple iOS - '.pdf' Local Privilege Escalation 'Jailbreak'
Apple iOS - '.pdf' Local Privilege Escalation 'Jailbreak'
---
The files contained in the archive link below are those that make use of a pdf exploit in order to jailbreak devices running Apple iOS. These pdf's are of interest in that they originate in userland and give root access to the devices.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14538.7z (ios_pdf_exploit.7z)
Bugzilla
CVE-2010-3311 freetype: Input stream position error by processing Compact Font Format (CFF) font files
bugzilla·2010-08-12·CVSS 9.3
CVE-2010-3311 [CRITICAL] CVE-2010-3311 freetype: Input stream position error by processing Compact Font Format (CFF) font files
CVE-2010-3311 freetype: Input stream position error by processing Compact Font Format (CFF) font files
Marc Schoenefeld found an input stream position error in the
way FreeType font rendering engine processed input file streams.
If a user loaded a specially-crafted font file with an application
linked against FreeType and relevant font glyphs were subsequently
rendered with the X FreeType library (libXft), it could cause the
application to crash or, possibly execute arbitrary code (integer
overflow leading to heap-based buffer overflow in the libXft library)
with the privileges of the user running the application. Different
vulnerability than CVE-2010-1797.
Affected versions: freetype-2.3 and before that.
Latest upstream version (2.4) is not affected
Discussion:
Created freetype tracki
Bugzilla
CVE-2010-1797 CVE-2010-2806 freetype various flaws [fedora-all]
bugzilla·2010-08-05·CVSS 9.3
CVE-2010-1797 [CRITICAL] CVE-2010-1797 CVE-2010-2806 freetype various flaws [fedora-all]
CVE-2010-1797 CVE-2010-2806 freetype various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=621144
Please note: this issue affects multiple supported
Bugzilla
CVE-2010-1797 FreeType: Multiple stack overflows by processing CFF opcodes
bugzilla·2010-08-04·CVSS 9.3
CVE-2010-1797 [CRITICAL] CVE-2010-1797 FreeType: Multiple stack overflows by processing CFF opcodes
CVE-2010-1797 FreeType: Multiple stack overflows by processing CFF opcodes
Multiple stack overflow flaws have been reported in the way
FreeType font rendering engine processed certain CFF opcodes.
An attacker could use these flaws to create a specially-crafted
font file that, when opened, would cause an application linked
against libfreetype to crash, or, possibly execute arbitrary code.
References:
[1] http://www.f-secure.com/weblog/archives/00002002.html
Acknowledgements:
Red Hat would like to thank Braden Thomas of the Apple Product Security team
for reporting these issues.
Discussion:
Created attachment 436501
Proposed FreeType CVE-2010-1797 patch from Apple
---
This deficiency affects the version of the vnc-server package, as shipped
with Red Hat Enteprise Linux 3 (it contains
http://freetype.sourceforge.net/index2.html#release-freetype-2.4.2http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=018f5c27813dd7eef4648fe254632ecea0c85a50http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=11d65e8a1f1f14e56148fd991965424d9bd1cdbchttp://lists.apple.com/archives/security-announce/2010//Aug/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2010//Aug/msg00001.htmlhttp://osvdb.org/66828http://secunia.com/advisories/40807http://secunia.com/advisories/40816http://secunia.com/advisories/40982http://secunia.com/advisories/48951http://sourceforge.net/projects/freetype/files/freetype2/2.4.2/NEWS/viewhttp://support.apple.com/kb/HT4291http://support.apple.com/kb/HT4292http://www.exploit-db.com/exploits/14538http://www.f-secure.com/weblog/archives/00002002.htmlhttp://www.securityfocus.com/bid/42151http://www.ubuntu.com/usn/USN-972-1http://www.vupen.com/english/advisories/2010/2018http://www.vupen.com/english/advisories/2010/2106https://bugs.launchpad.net/ubuntu/maverick/+source/freetype/+bug/617019https://bugzilla.redhat.com/show_bug.cgi?id=621144https://exchange.xforce.ibmcloud.com/vulnerabilities/60856http://freetype.sourceforge.net/index2.html#release-freetype-2.4.2http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=018f5c27813dd7eef4648fe254632ecea0c85a50http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=11d65e8a1f1f14e56148fd991965424d9bd1cdbchttp://lists.apple.com/archives/security-announce/2010//Aug/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2010//Aug/msg00001.htmlhttp://osvdb.org/66828http://secunia.com/advisories/40807http://secunia.com/advisories/40816http://secunia.com/advisories/40982http://secunia.com/advisories/48951http://sourceforge.net/projects/freetype/files/freetype2/2.4.2/NEWS/viewhttp://support.apple.com/kb/HT4291http://support.apple.com/kb/HT4292http://www.exploit-db.com/exploits/14538http://www.f-secure.com/weblog/archives/00002002.htmlhttp://www.securityfocus.com/bid/42151http://www.ubuntu.com/usn/USN-972-1http://www.vupen.com/english/advisories/2010/2018http://www.vupen.com/english/advisories/2010/2106https://bugs.launchpad.net/ubuntu/maverick/+source/freetype/+bug/617019https://bugzilla.redhat.com/show_bug.cgi?id=621144https://exchange.xforce.ibmcloud.com/vulnerabilities/60856
2010-08-16
Published
Exploited in the wild