Microsoft Windows - Uniscribe Font Processing Heap Out-of-Bounds Write in 'USP10!UpdateGlyphFlags' (MS17-011)

EDB-ID:

41652




Platform:

Windows

Date:

2017-03-20


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1028

We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!UpdateGlyphFlags function, while trying to display text using a corrupted font file:

---
(5268.3b50): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00003fe0 ebx=0000ffff ecx=000007fc edx=0050ee58 esi=0000f803 edi=0931c020
eip=75230c90 esp=0050eb48 ebp=0050eb50 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
USP10!UpdateGlyphFlags+0x30:
75230c90 66834c380210    or      word ptr [eax+edi+2],10h ds:002b:09320002=????
0:000> kb
ChildEBP RetAddr  Args to Child              
0050eb50 752336b3 42555347 0050ee58 00000000 USP10!UpdateGlyphFlags+0x30
0050ed2c 7522f29f 42555347 0050ee68 0050ee3c USP10!ApplyFeatures+0x553
0050ed78 7522b083 00000000 00000000 00000000 USP10!SubstituteOtlGlyphs+0x1bf
0050eda4 75226d5c 0050edd4 0050ee4c 0050ee68 USP10!ShapingLibraryInternal::SubstituteOtlGlyphsWithLanguageFallback+0x23
0050f010 7521548a 0050f11c 0050f148 0050f130 USP10!GenericEngineGetGlyphs+0xa1c
0050f0d0 7521253f 0050f11c 0050f148 0050f130 USP10!ShapingGetGlyphs+0x36a
0050f1bc 751e5c6f 7901150c 09316124 09316318 USP10!ShlShape+0x2ef
0050f200 751f167a 7901150c 09316124 09316318 USP10!ScriptShape+0x15f
0050f260 751f2b14 00000000 00000000 0050f2e0 USP10!RenderItemNoFallback+0xfa
0050f28c 751f2da2 00000000 00000000 0050f2e0 USP10!RenderItemWithFallback+0x104
0050f2b0 751f4339 00000000 0050f2e0 09316124 USP10!RenderItem+0x22
0050f2f4 751e7a04 000004a0 00000400 7901150c USP10!ScriptStringAnalyzeGlyphs+0x1e9
0050f30c 76ca5465 7901150c 09316040 0000000a USP10!ScriptStringAnalyse+0x284
0050f358 76ca5172 7901150c 0050f740 0000000a LPK!LpkStringAnalyse+0xe5
0050f454 76ca1410 7901150c 00000000 00000000 LPK!LpkCharsetDraw+0x332
0050f488 763c18b0 7901150c 00000000 00000000 LPK!LpkDrawTextEx+0x40
0050f4c8 763c22bf 7901150c 00000070 00000000 USER32!DT_DrawStr+0x13c
0050f514 763c21f2 7901150c 0050f740 0050f754 USER32!DT_GetLineBreak+0x78
0050f5c0 763c14d4 7901150c 00000000 0000000a USER32!DrawTextExWorker+0x255
0050f5e4 763c2475 7901150c 0050f740 ffffffff USER32!DrawTextExW+0x1e
0050f618 001a6a5c 7901150c 0050f740 ffffffff USER32!DrawTextW+0x4d
[...]
0:000> !heap -p -a eax+edi
    address 09320000 found in
    _DPH_HEAP_ROOT @ 9311000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 9311f38:          931c000             4000 -          931b000             6000
    5e3e8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77580f3e ntdll!RtlDebugAllocateHeap+0x00000030
    7753ab47 ntdll!RtlpAllocateHeap+0x000000c4
    774e3431 ntdll!RtlAllocateHeap+0x0000023a
    5dbea792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    751f68fa USP10!UspAllocStatic+0x000000aa
    751f6cea USP10!UspAcquireTempAlloc+0x0000002a
    751e8778 USP10!ScriptRecordDigitSubstitution+0x00000028
    76ca5304 LPK!ReadNLSScriptSettings+0x00000074
    76ca53b8 LPK!LpkStringAnalyse+0x00000038
    76ca5172 LPK!LpkCharsetDraw+0x00000332
    76ca1410 LPK!LpkDrawTextEx+0x00000040
    763c18b0 USER32!DT_DrawStr+0x0000013c
    763c22bf USER32!DT_GetLineBreak+0x00000078
    763c21f2 USER32!DrawTextExWorker+0x00000255
    763c14d4 USER32!DrawTextExW+0x0000001e
    763c2475 USER32!DrawTextW+0x0000004d
[...]
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is an archive with 3 crashing samples.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41652.zip