T1 Font Integer Overflow

The T1 Font Integer Overflow (a.k.a DejaVu as it is very similar to the Malformed CFF Vulnerability [1]) is an exploit used in Saffron.

Credit

comex

Description

When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to 0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback. decoder‑>parse_callback address minus default address of that function to get ASLR offset. That's how it bypasses ASLR.

This vulnerability was actually addressed by Apple in OS X v10.6.8 (Security Update 2011-004), but a fix was never pushed to iOS. (CVE-2011-0202).

When Apple released iOS 4.2.9/4.3.4 to patch this vulnerability, it received a different CVE identifier (CVE-2011-0226).

External Links

Tweets from @windknown: 1 2 3 4
KB HT4723
CVE-2011-0202
CVE-2011-0226
Analasis by Intrepid US Group
Analasis by Sogeti ESEC Labs [Archived 2011-07-22 at the Wayback Machine]

v t e Exploits
Exploits	0x24000 Segment Overflow ARM Exception Vector Info Leak ARM7 Go AT+FNS AT+XAPP Vulnerability AT+XEMN Heap Overflow AT+XLOG Vulnerability AT+stkprof BPF_STX Kernel Write Exploit CVE-2013-0964 CVE-2021-30773 CVE-2021-30807 CVE-2021-30883 CoreTrust Root Certificate Validation Vulnerability De Rebus Antiquis Dual Boot Exploit Dynamic memmove() locating Fakeblank HFS Heap Overflow HFS Legacy Volume Name Stack Buffer Overflow IOPlatformArgs leak IOSurface Kernel Exploit IOUSBDeviceFamily Vulnerability IPSF Incomplete Codesign Exploit JerrySIM Kernel memory write via ROP gadget MacDirtyCow Malformed CFF Vulnerability Malformed PairRequest Minus 0x20000 with Back Extend Erase Minus 0x400 MobileBackup Copy Exploit Overlapping Segment Attack Packet Filter Kernel Exploit Psychic Paper Pwnage Pwnage 2.0 Racoon String Format Overflow Exploit Ramdisk Hack SHA-1 Image Segment Overflow Shebang Trick Soft Upgrade Symbolic Link Vulnerability Symlinks T1 Font Integer Overflow Timezone Vulnerability alloc8 Exploit amfid Lazy Binding Exploit amfid Text Relocation Exploit ... further results
Patches	/private/etc/fstab AMFI Binary Trust Cache Patch ASR Crazeles Hunnypot Kernel Patches PE_i_can_has_debugger Patch Sandbox Patch Signature Check Patch hgsp4 patch tfp0 patch vm_map_enter Patch vm_map_protect Patch