Celil Unuver is co-founder & principal security researcher of SIGNALSEC Ltd. He is also organizer of NOPcon. His areas of expertise include Vulnerability Research & Discovery, Exploit Development and Reverse Engineering. He has been a speaker at CODE BLUE Japan, CONFidence, Swiss Cyber Storm, c0c0n, DefCamp, Kuwait Info Security Forum. He enjoys hunting bugs and has discovered critical vulnerabilities affect well-known vendors such as Adobe, Microsoft, HTC, IBM, Novell etc.
Ebubekir Karul is a security researcher at SIGNALSEC Ltd. He is mainly interested in reverse engineering, windows internals, malware research. He is also an undergrad student in Physics faculty of Marmara University.
[Abstract] Miyamoto Musashi says there is more than one path to the top of the mountain. Many researchers have targeted Windows Kernel with TTF before and TTF is a hot topic in vulnerability research. We see TTF exploits targeted Windows Kernel used by APT groups. However, bug hunters didn’t spend too much time to fuzz TTF parsers of user-mode applications. Thus, client-side popular applications have a lot of bugs in rendering TTF files.
In this talk, we are going to explain quick internals of TTF format and some hints about fuzzing TTF file format. We will discuss which applications handle TTF files to identify possible targets for bug hunters. Next, we're going to introduce a structure-aware TTF fuzzer that we developed and used in a short period. We will also show some vulnerabilities (e.g. ZDI-CAN-3102) discovered by the fuzzer.