Microsoft Windows - 'USP10!otlSinglePosLookup::getCoverageTable' Uniscribe Font Processing Out-of-Bounds Memory Read

EDB-ID:

42239




Platform:

Windows

Date:

2017-06-23


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1203

We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!otlSinglePosLookup::getCoverageTable function, while trying to display text using a corrupted TTF font file:

---
(7f0.488): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03670ffe ebx=0365c048 ecx=03671000 edx=03671000 esi=03671000 edi=0024e9d4
eip=77500808 esp=0024e918 ebp=0024e918 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
USP10!otlSinglePosLookup::getCoverageTable+0x48:
77500808 668b4802        mov     cx,word ptr [eax+2]      ds:0023:03671000=????
0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 0024e918 77502c4b 0024e9d4 03671000 03671000 USP10!otlSinglePosLookup::getCoverageTable+0x48
01 0024e964 77504860 03670ffe 534f5047 00000001 USP10!GetSubtableCoverage+0xab
02 0024ea10 77504c29 534f5047 0367f132 00003ece USP10!BuildTableCache+0x240
03 0024ea48 774fed73 0024ea6c 00004000 0367f000 USP10!BuildCache+0x79
04 0024ea74 774e4fec 0024eaa0 00004000 0024eb44 USP10!BuildOtlCache+0x53
05 0024ecc0 774bd37b 0024edb8 0024ed48 0024ecd8 USP10!ShapingCreateFontCacheData+0x4cc
06 0024edc0 774bd8ef 03663e20 0024f148 00000004 USP10!ShlLoadFont+0x6b
07 0024f02c 774b9317 3c0102ac 0024f0b8 00000000 USP10!LoadFont+0x54f
08 0024f048 774b9630 3c0102ac 0024f070 7750d468 USP10!FindOrCreateFaceCache+0xe7
09 0024f150 774b99bb 3c0102ac 03656124 3c0102ac USP10!FindOrCreateSizeCacheWithoutRealizationID+0xf0
0a 0024f178 774ba528 3c0102ac 03656124 03656124 USP10!FindOrCreateSizeCacheUsingRealizationID+0xbb
0b 0024f19c 774ba692 03656124 3c0102ac 03656000 USP10!UpdateCache+0x38
0c 0024f1b0 774b7918 3c0102ac 000004a0 00000400 USP10!ScriptCheckCache+0x62
0d 0024f1cc 760a1736 3c0102ac 03656040 00000001 USP10!ScriptStringAnalyse+0x198
0e 0024f218 760a18c1 3c0102ac 0024f69e 00000001 LPK!LpkStringAnalyse+0xe5
0f 0024f314 760a17b4 3c0102ac 00000000 00000000 LPK!LpkCharsetDraw+0x332
10 0024f348 77df56a9 3c0102ac 00000000 00000000 LPK!LpkDrawTextEx+0x40
11 0024f388 77df5a64 3c0102ac 00000048 00000000 USER32!DT_DrawStr+0x13c
12 0024f3d4 77df580f 3c0102ac 0024f69e 0024f6a0 USER32!DT_GetLineBreak+0x78
13 0024f480 77df5882 3c0102ac 00000000 00000009 USER32!DrawTextExWorker+0x250
14 0024f4a4 77df5b68 3c0102ac 0024f69c ffffffff USER32!DrawTextExW+0x1e
[...]

0:000> !heap -p -a eax
    address 03670ffe found in
    _DPH_HEAP_ROOT @ 3651000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 3651d98:          3670c40              3c0 -          3670000             2000
    73388e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77d26206 ntdll!RtlDebugAllocateHeap+0x00000030
    77cea127 ntdll!RtlpAllocateHeap+0x000000c4
    77cb5950 ntdll!RtlAllocateHeap+0x0000023a
    72e0ae6a vrfcore!VfCoreRtlAllocateHeap+0x0000002a
    774c6724 USP10!UspAllocCache+0x00000054
    774bad00 USP10!GetOtlTables+0x000000d0
    774d777f USP10!CheckUpdateFontDescriptor+0x0000002f
    774bd8e2 USP10!LoadFont+0x00000542
    774b9317 USP10!FindOrCreateFaceCache+0x000000e7
    774b9630 USP10!FindOrCreateSizeCacheWithoutRealizationID+0x000000f0
    774b99bb USP10!FindOrCreateSizeCacheUsingRealizationID+0x000000bb
    774ba528 USP10!UpdateCache+0x00000038
    774ba692 USP10!ScriptCheckCache+0x00000062
    774b7918 USP10!ScriptStringAnalyse+0x00000198
    760a1736 LPK!LpkStringAnalyse+0x000000e5
    760a18c1 LPK!LpkCharsetDraw+0x00000332
    760a17b4 LPK!LpkDrawTextEx+0x00000040
    77df56a9 USER32!DT_DrawStr+0x0000013c
    77df5a64 USER32!DT_GetLineBreak+0x00000078
    77df580f USER32!DrawTextExWorker+0x00000250
    77df5882 USER32!DrawTextExW+0x0000001e
    77df5b68 USER32!DrawTextW+0x0000004d
[...]
---

The issue reproduces on Windows 7, and could be potentially used to disclose sensitive data from the process heap. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached are 3 proof of concept malformed font files which trigger the crash.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42239.zip