Microsoft Font Subsetting - DLL Heap Corruption in ReadTableIntoStructure







Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.


-----=====[ Background ]=====-----

The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.

The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.

-----=====[ Description ]=====-----

We have encountered crashes in fontsub!ReadTableIntoStructure similar to the following:

--- cut ---
(7ac.378c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
00007fff`c0874150 6689540110      mov     word ptr [rcx+rax+10h],dx ds:000001f7`a7429010=????

0:000> ? rcx
Evaluate expression: 32 = 00000000`00000020

0:000> ? rax
Evaluate expression: 2163174707168 = 000001f7`a7428fe0

0:000> ? dx
Evaluate expression: 3 = 00000000`00000003

0:000> !heap -p -a rax
    address 000001f7a7428fe0 found in
    _DPH_HEAP_ROOT @ 1f7a7271000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                             1f7a7276c98:      1f7a7428fe0               20 -      1f7a7428000             2000
    00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
    00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
    00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
    00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
    00007fffcca398f0 msvcrt!malloc+0x0000000000000070
    00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012
    00007fffc0875562 FONTSUB!MergeEblcEbdtTables+0x0000000000000b02
    00007fffc086b0a3 FONTSUB!MergeFonts+0x0000000000000603
    00007fffc086baac FONTSUB!MergeDeltaTTF+0x00000000000003ec
    00007fffc08614b2 FONTSUB!MergeFontPackage+0x0000000000000132
0:000> k
 # Child-SP          RetAddr           Call Site
00 000000d8`664fd3d0 00007fff`c0875599 FONTSUB!ReadTableIntoStructure+0x378
01 000000d8`664fd480 00007fff`c086b0a3 FONTSUB!MergeEblcEbdtTables+0xb39
02 000000d8`664fd690 00007fff`c086baac FONTSUB!MergeFonts+0x603
03 000000d8`664fd840 00007fff`c08614b2 FONTSUB!MergeDeltaTTF+0x3ec
04 000000d8`664fd980 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132
--- cut ---

In total, we have discovered crashes in four different locations inside the ReadTableIntoStructure() function.

The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 4 proof of concept malformed font files which trigger the crash.

Proof of Concept: