Registermicrosoft font subsetting dll heap corruption in readtableintostructure
▸▸▸ Exploit & Vulnerability >> dos exploit & windows vulnerability
Online Vulnerability Scanner Tools
Code...
-----=====[ Background ]=====----- The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts. The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness. -----=====[ Description ]=====----- We have encountered crashes in fontsub!ReadTableIntoStructure similar to the following: --- cut --- (7ac.378c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. FONTSUB!ReadTableIntoStructure+0x378: 00007fff`c0874150 6689540110 mov word ptr [rcx+rax+10h],dx ds:000001f7`a7429010=???? 0:000> ? rcx Evaluate expression: 32 = 00000000`00000020 0:000> ? rax Evaluate expression: 2163174707168 = 000001f7`a7428fe0 0:000> ? dx Evaluate expression: 3 = 00000000`00000003 0:000> !heap -p -a rax address 000001f7a7428fe0 found in _DPH_HEAP_ROOT @ 1f7a7271000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 1f7a7276c98: 1f7a7428fe0 20 - 1f7a7428000 2000 00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f 00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c 00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb 00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022 00007fffcca398f0 msvcrt!malloc+0x0000000000000070 00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012 00007fffc0875562 FONTSUB!MergeEblcEbdtTables+0x0000000000000b02 00007fffc086b0a3 FONTSUB!MergeFonts+0x0000000000000603 00007fffc086baac FONTSUB!MergeDeltaTTF+0x00000000000003ec 00007fffc08614b2 FONTSUB!MergeFontPackage+0x0000000000000132 [...] 0:000> k # Child-SP RetAddr Call Site 00 000000d8`664fd3d0 00007fff`c0875599 FONTSUB!ReadTableIntoStructure+0x378 01 000000d8`664fd480 00007fff`c086b0a3 FONTSUB!MergeEblcEbdtTables+0xb39 02 000000d8`664fd690 00007fff`c086baac FONTSUB!MergeFonts+0x603 03 000000d8`664fd840 00007fff`c08614b2 FONTSUB!MergeDeltaTTF+0x3ec 04 000000d8`664fd980 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132 [...] --- cut --- In total, we have discovered crashes in four different locations inside the ReadTableIntoStructure() function. The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 4 proof of concept malformed font files which trigger the crash. Proof of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47265.zip
Microsoft font subsetting dll heap corruption in readtableintostructure Vulnerability / Exploit Source : Microsoft font subsetting dll heap corruption in readtableintostructure
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes