Registermicrosoft font subsetting dll heap corruption in fixsbitsubtables
▸▸▸ Exploit & Vulnerability >> dos exploit & windows vulnerability
Online Vulnerability Scanner Tools
Code...
-----=====[ Background ]=====----- The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts. The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness. -----=====[ Description ]=====----- We have encountered the following crash in fontsub!FixSbitSubTables: --- cut --- (8ec.5f20): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. FONTSUB!FixSbitSubTables+0x9a9: 00007fff`b4841371 6644892446 mov word ptr [rsi+rax*2],r12w ds:0000023c`a6765000=???? 0:000> ? rsi Evaluate expression: 2459514064800 = 0000023c`a6764fa0 0:000> ? rax Evaluate expression: 48 = 00000000`00000030 0:000> ? r12w Evaluate expression: 0 = 00000000`00000000 0:000> !heap -p -a rsi address 0000023ca6764fa0 found in _DPH_HEAP_ROOT @ 23ca6681000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 23ca6683888: 23ca6764fa0 60 - 23ca6764000 2000 unknown!printable 00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f 00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c 00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb 00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022 00007fffcca398f0 msvcrt!malloc+0x0000000000000070 00007fffb483fd1e FONTSUB!Mem_Alloc+0x0000000000000012 00007fffb48412ac FONTSUB!FixSbitSubTables+0x00000000000008e4 00007fffb4841a5a FONTSUB!FixSbitSubTableArray+0x00000000000001f6 00007fffb4842460 FONTSUB!ModSbit+0x0000000000000520 00007fffb48370aa FONTSUB!CreateDeltaTTFEx+0x0000000000000612 00007fffb4836a63 FONTSUB!CreateDeltaTTF+0x00000000000002cb 00007fffb483132a FONTSUB!CreateFontPackage+0x000000000000015a [...] 0:000> k # Child-SP RetAddr Call Site 00 000000b1`2ccfd580 00007fff`b4841a5a FONTSUB!FixSbitSubTables+0x9a9 01 000000b1`2ccfd6c0 00007fff`b4842460 FONTSUB!FixSbitSubTableArray+0x1f6 02 000000b1`2ccfd7e0 00007fff`b48370aa FONTSUB!ModSbit+0x520 03 000000b1`2ccfd920 00007fff`b4836a63 FONTSUB!CreateDeltaTTFEx+0x612 04 000000b1`2ccfda40 00007fff`b483132a FONTSUB!CreateDeltaTTF+0x2cb 05 000000b1`2ccfdb80 00007ff6`1a8a85d1 FONTSUB!CreateFontPackage+0x15a [...] --- cut --- The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 4 proof of concept malformed font files which trigger the crash. Proof of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47264.zip
Microsoft font subsetting dll heap corruption in fixsbitsubtables Vulnerability / Exploit Source : Microsoft font subsetting dll heap corruption in fixsbitsubtables
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes