Microsoft Font Subsetting - DLL Heap Corruption in ReadAllocFormat12CharGlyphMapList

EDB-ID:

47266




Platform:

Windows

Date:

2019-08-15


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

-----=====[ Background ]=====-----

The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.

The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.

-----=====[ Description ]=====-----

We have encountered the following crash in fontsub!ReadAllocFormat12CharGlyphMapList:

--- cut ---
(5a30.397c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
FONTSUB!ReadAllocFormat12CharGlyphMapList+0x13d:
00007fff`c086cf8d 448904c8        mov     dword ptr [rax+rcx*8],r8d ds:00000225`050b9000=????????

0:000> ? rax
Evaluate expression: 2358021689232 = 00000225`050b8f90

0:000> ? rcx
Evaluate expression: 14 = 00000000`0000000e

0:000> ? r8d
Evaluate expression: 4294967286 = 00000000`fffffff6

0:000> !heap -p -a rax
    address 00000225050b8f90 found in
    _DPH_HEAP_ROOT @ 22505011000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                             22505012478:      225050b8f90               68 -      225050b8000             2000
    00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
    00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
    00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
    00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
    00007fffcca398f0 msvcrt!malloc+0x0000000000000070
    00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012
    00007fffc086cf24 FONTSUB!ReadAllocFormat12CharGlyphMapList+0x00000000000000d4
    00007fffc08706cd FONTSUB!ModCmap+0x0000000000000459
    00007fffc0866eab FONTSUB!CreateDeltaTTFEx+0x0000000000000413
    00007fffc0866a63 FONTSUB!CreateDeltaTTF+0x00000000000002cb
    00007fffc086132a FONTSUB!CreateFontPackage+0x000000000000015a
[...]
 
0:000> k
 # Child-SP          RetAddr           Call Site
00 000000ad`62cfd4b0 00007fff`c08706cd FONTSUB!ReadAllocFormat12CharGlyphMapList+0x13d
01 000000ad`62cfd520 00007fff`c0866eab FONTSUB!ModCmap+0x459
02 000000ad`62cfd660 00007fff`c0866a63 FONTSUB!CreateDeltaTTFEx+0x413
03 000000ad`62cfd780 00007fff`c086132a FONTSUB!CreateDeltaTTF+0x2cb
04 000000ad`62cfd8c0 00007ff6`1a8a85d1 FONTSUB!CreateFontPackage+0x15a
[...]
--- cut ---

The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47266.zip