cbcvebase.
CVE-2010-1797
published 2010-08-16

CVE-2010-1797: Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType…

PriorityP277critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
30.65%
98.0th percentile
Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType before 2.4.2, as used in Apple iOS before 4.0.2 on the iPhone and iPod touch and before 3.2.2 on the iPad, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted CFF opcodes in embedded fonts in a PDF document, as demonstrated by JailbreakMe. NOTE: some of these details are obtained from third party information.

Affected

64 ranges· showing 25
VendorProductVersion rangeFixed in
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os
appleiphone_os

Detection & IOCsextracted from sources · hover to see the quote

filenamefoxit_type2_poc.pdf
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14538.7z
hash68 10 f5 00 00 31 f6 64 8b 76 30 8b 76 0c 8b 76 1c 8b 6e 08 8b 36 8b 5d 3c 8b 5c 1d 78 01 eb 8b 4b 18 67 e3 ec 8b 7b 20 01 ef 8b 7c 8f fc 01 ef 31 c0 99 32 17 66 c1 ca 01 ae 75 f7 58 66 3b d0 50 e0 e2 75 cc 8b 53 24 01 ea 0f b7 14 4a 8b 7b 1c 01 ef 03 2c 97 66 3d 10 f5 75 0e 33 c0 50 68 2e 65 78 65 68 63 61 6c 63 54 ff d5 68 06 cb 00 00 eb 92
pathcff/cffgload.c
bytes
\x01\x00\x04\x01\x00\x01\x01\x01\x13ABCDEF+Times-Roman
bytes
\x0c\x17\x0c\x17\x0c\x04\x0c\x1d
bytes
\x0c\x17\x0c\x1d
bytes
\x0c\x1d\x0c\x12
bytes
\xff\x90\x90\x8a\xeb
  • Detect crafted PDF files embedding malicious CFF fonts by scanning for the exploit's characteristic CFF opcode sequences (\x0c\x17, \x0c\x1d, \x0c\x04, \x0c\x12) repeated in high density within a PDF stream.
  • The exploit payload targets the cff_decoder_parse_charstrings function in FreeType; monitor for FreeType versions prior to 2.4.2 processing PDF documents with embedded CFF fonts.
  • The PoC exploit generates a file named 'foxit_type2_poc.pdf'; alert on this filename appearing in download or temp directories.
  • The exploit uses FF-encoded shellcode bytes where every 5-byte group starts with \xff; scan decompressed CFF streams for runs of \xff-prefixed 5-byte groups as a heuristic for encoded shellcode.
  • The iOS jailbreak exploit archive (ios_pdf_exploit.7z) originates from userland and grants root access; treat receipt of this archive as a high-severity indicator.
  • ·The PoC targets specific Foxit Reader versions; the two hardcoded ROP gadget addresses (POP_POP_RET) are version-specific and will not apply universally.
  • ·The vulnerability affects Apple iOS before 4.0.2 (iPhone/iPod touch) and before 3.2.2 (iPad); detections scoped to iOS should account for these version boundaries.
  • ·CVE-2010-3311 is a distinct FreeType vulnerability (integer overflow in ftstream.c) and should not be conflated with CVE-2010-1797 detections.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vulncheck9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.