ATMFD.DLL Memory Corruption Vulnerability attacks spotted in the wild

August 4, 2015

CVE-2015-2387 attacks have been spotted in the wild. An elevation of privilege vulnerability exists in Adobe Type Manager Font Driver (ATMFD) when it fails to properly handle objects in memory. ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows allows local users to gain privileges via a crafted application, aka "ATMFD.DLL Memory Corruption Vulnerability." An attacker can successfully exploit this vulnerability to execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights

Following is the analysis of the exploit:

The executable is packed and contains malicious font and exploit code. The payload (.exe) prepares the ROP gadget in usermode before it calls the vulnerable ATMDF.dll in kernel mode.

The sample opens the ntkrnlpa.exe and calls the vulnerable ATMFD.dll . The malicious exe successfully starts the cmd process with local privileges and manages to exploit the vulnerability to gain admin privileges

Running the vulnerable exe from windbg shows that the exe loads the font in memory.

Setting the breakpoint at NamedEscape shows the vulnerable dll being called.

And then the binary tries to load the malicious font (tag OTTO of OpenType font)

When the ATMFD.dll tries to process this font it leads to a buffer overflow which allows the attacker to gain admin privileges.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signatures to protect their customers.

  • GAV 20469 : Dropper.A_767
  • GAV 17022 : CVE-2015-2387