Microsoft Windows - Uniscribe Font Processing Heap Out-of-Bounds Read/Write in 'USP10!AssignGlyphTypes' (MS17-011)

EDB-ID:

41648


Platform:

Windows

Published:

2017-03-20

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1023

We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!AssignGlyphTypes function, while trying to display text using a corrupted font file:

---
(58d0.5ae4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0042f2cc ebx=00000001 ecx=00000091 edx=00000091 esi=095c0004 edi=000007e1
eip=75235699 esp=0042ef8c ebp=0042ef98 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
USP10!AssignGlyphTypes+0x79:
75235699 0fb70e          movzx   ecx,word ptr [esi]       ds:002b:095c0004=????
0:000> kb
ChildEBP RetAddr  Args to Child              
0042ef98 75233660 0042f2cc 095dfc86 0000f81e USP10!AssignGlyphTypes+0x79
0042f17c 7522f29f 42555347 0042f2e4 0042f2a8 USP10!ApplyFeatures+0x500
0042f1c8 7522f710 00000000 095e0000 095dfc78 USP10!SubstituteOtlGlyphs+0x1bf
0042f204 752213c0 0042f280 0042f2b8 0042f2e4 USP10!SubstituteOtlChars+0x220
0042f480 7521548a 0042f58c 0042f5b8 0042f5a0 USP10!HebrewEngineGetGlyphs+0x690
0042f540 7521253f 0042f58c 0042f5b8 0042f5a0 USP10!ShapingGetGlyphs+0x36a
0042f628 751e5c6f 1b01233b 095b6124 095b6318 USP10!ShlShape+0x2ef
0042f66c 751f167a 1b01233b 095b6124 095b6318 USP10!ScriptShape+0x15f
0042f6cc 751f2b14 00000000 00000000 0042f74c USP10!RenderItemNoFallback+0xfa
0042f6f8 751f2da2 00000000 00000000 0042f74c USP10!RenderItemWithFallback+0x104
0042f71c 751f4339 00000000 0042f74c 095b6124 USP10!RenderItem+0x22
0042f760 751e7a04 000004a0 00000400 1b01233b USP10!ScriptStringAnalyzeGlyphs+0x1e9
0042f778 76ca5465 1b01233b 095b6040 0000000a USP10!ScriptStringAnalyse+0x284
0042f7c4 76ca5172 1b01233b 0042fbac 0000000a LPK!LpkStringAnalyse+0xe5
0042f8c0 76ca1410 1b01233b 00000000 00000000 LPK!LpkCharsetDraw+0x332
0042f8f4 763c18b0 1b01233b 00000000 00000000 LPK!LpkDrawTextEx+0x40
0042f934 763c22bf 1b01233b 000000b0 00000000 USER32!DT_DrawStr+0x13c
0042f980 763c21f2 1b01233b 0042fbac 0042fbc0 USER32!DT_GetLineBreak+0x78
0042fa2c 763c14d4 1b01233b 00000000 0000000a USER32!DrawTextExWorker+0x255
0042fa50 763c2475 1b01233b 0042fbac ffffffff USER32!DrawTextExW+0x1e
0042fa84 013b6a5c 1b01233b 0042fbac ffffffff USER32!DrawTextW+0x4d
[...]
0:000> u
USP10!AssignGlyphTypes+0x79:
75235699 0fb70e          movzx   ecx,word ptr [esi]
7523569c b8f0ff0000      mov     eax,0FFF0h
752356a1 66214602        and     word ptr [esi+2],ax
752356a5 51              push    ecx
752356a6 8d4d0c          lea     ecx,[ebp+0Ch]
752356a9 e852420000      call    USP10!otlClassDef::getClass (75239900)
752356ae 66094602        or      word ptr [esi+2],ax
752356b2 eb09            jmp     USP10!AssignGlyphTypes+0x9d (752356bd)
0:000> dd esi
095c0004  ???????? ???????? ???????? ????????
095c0014  ???????? ???????? ???????? ????????
095c0024  ???????? ???????? ???????? ????????
095c0034  ???????? ???????? ???????? ????????
095c0044  ???????? ???????? ???????? ????????
095c0054  ???????? ???????? ???????? ????????
095c0064  ???????? ???????? ???????? ????????
095c0074  ???????? ???????? ???????? ????????
---

While the immediate crash is caused by an invalid memory read operation, the function subsequently writes to the out-of-bounds memory regions at addresses 0x752356a1 and 0x752356ae, leading to memory corruption and potential remote code execution.

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is an archive with 3 crashing samples.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41648.zip