We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file: --- DRIVER_OVERRAN_STACK_BUFFER (f7) A driver has overrun a stack-based buffer. This overrun could potentially allow a malicious user to gain control of this machine. DESCRIPTION A driver overran a stack-based buffer (or local variable) in a way that would have overwritten the function's return address and jumped back to an arbitrary address when the function returned. This is the classic "buffer overrun" hacking attack and the system has been brought down to prevent a malicious user from gaining complete control of it. Do a kb to get a stack backtrace -- the last routine on the stack before the buffer overrun handlers and bugcheck call is the one that overran its local variable(s). Arguments: Arg1: a6703535, Actual security check cookie from the stack Arg2: 98ee9e09, Expected security check cookie Arg3: 671161f6, Complement of the expected security check cookie Arg4: 00000000, zero Debugging Details: ------------------ DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP SECURITY_COOKIE: Expected 98ee9e09 found a6703535 CUSTOMER_CRASH_COUNT: 1 BUGCHECK_STR: 0xF7 PROCESS_NAME: csrss.exe CURRENT_IRQL: 0 ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 98ea5720 to 82725b84 STACK_TEXT: a6723488 98ea5720 000000f7 a6703535 98ee9e09 nt!KeBugCheckEx+0x1e WARNING: Stack unwind information not available. Following frames may be wrong. a67234a8 98ec57f6 00000085 00400000 08680370 ATMFD+0x15720 a672353c 98ec5b0e 00400000 a6723790 00400000 ATMFD+0x357f6 a6723610 8297ef90 ff68a000 00000000 ff68a000 ATMFD+0x35b0e a6723624 99180853 3e9ca839 a6723734 98ec5063 nt!VerifierExFreePoolWithTag+0x30 a6723638 00400000 a672364c a6723790 a6723868 win32k!VerifierEngFreeMem+0x5b a6723790 98e95328 98e953b4 98e953be 98e95442 0x400000 a67237c8 00000000 00001f98 00000000 00000000 ATMFD+0x5328 --- While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "CFF " table. The immediate reason of the bugcheck is a stack corruption detected by the stack cookie protection (/GS). The issue reproduces on Windows 7 and 8.1; other platforms were not tested. In our environment, it is sufficient to open the offending font in the default Windows Font Viewer to reproduce the crash, or even click on a folder icon containing the font in Windows Explorer. Attached is an archive with the proof-of-concept mutated OTF file, together with the original font used to generate it and a corresponding crash log from Windows 7 32-bit. More: https://code.google.com/p/google-security-research/issues/detail?id=682 # Iranian Exploit DataBase = http://IeDb.Ir [2016-03-16]