Microsoft Windows Graphics Component Information Disclosure Vulnerability(CVE-2017-0287)

ID SSV:96245
Type seebug
Reporter Root
Modified 2017-06-27T00:00:00


We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!otlSinglePosLookup::getCoverageTable function, while trying to display text using a corrupted TTF font file: ```

(7f0.488): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=03670ffe ebx=0365c048 ecx=03671000 edx=03671000 esi=03671000 edi=0024e9d4 eip=77500808 esp=0024e918 ebp=0024e918 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 USP10!otlSinglePosLookup::getCoverageTable+0x48: 77500808 668b4802 mov cx,word ptr [eax+2] ds:0023:03671000=???? 0:000> kb # ChildEBP RetAddr Args to Child
00 0024e918 77502c4b 0024e9d4 03671000 03671000 USP10!otlSinglePosLookup::getCoverageTable+0x48 01 0024e964 77504860 03670ffe 534f5047 00000001 USP10!GetSubtableCoverage+0xab 02 0024ea10 77504c29 534f5047 0367f132 00003ece USP10!BuildTableCache+0x240 03 0024ea48 774fed73 0024ea6c 00004000 0367f000 USP10!BuildCache+0x79 04 0024ea74 774e4fec 0024eaa0 00004000 0024eb44 USP10!BuildOtlCache+0x53 05 0024ecc0 774bd37b 0024edb8 0024ed48 0024ecd8 USP10!ShapingCreateFontCacheData+0x4cc 06 0024edc0 774bd8ef 03663e20 0024f148 00000004 USP10!ShlLoadFont+0x6b 07 0024f02c 774b9317 3c0102ac 0024f0b8 00000000 USP10!LoadFont+0x54f 08 0024f048 774b9630 3c0102ac 0024f070 7750d468 USP10!FindOrCreateFaceCache+0xe7 09 0024f150 774b99bb 3c0102ac 03656124 3c0102ac USP10!FindOrCreateSizeCacheWithoutRealizationID+0xf0 0a 0024f178 774ba528 3c0102ac 03656124 03656124 USP10!FindOrCreateSizeCacheUsingRealizationID+0xbb 0b 0024f19c 774ba692 03656124 3c0102ac 03656000 USP10!UpdateCache+0x38 0c 0024f1b0 774b7918 3c0102ac 000004a0 00000400 USP10!ScriptCheckCache+0x62 0d 0024f1cc 760a1736 3c0102ac 03656040 00000001 USP10!ScriptStringAnalyse+0x198 0e 0024f218 760a18c1 3c0102ac 0024f69e 00000001 LPK!LpkStringAnalyse+0xe5 0f 0024f314 760a17b4 3c0102ac 00000000 00000000 LPK!LpkCharsetDraw+0x332 10 0024f348 77df56a9 3c0102ac 00000000 00000000 LPK!LpkDrawTextEx+0x40 11 0024f388 77df5a64 3c0102ac 00000048 00000000 USER32!DT_DrawStr+0x13c 12 0024f3d4 77df580f 3c0102ac 0024f69e 0024f6a0 USER32!DT_GetLineBreak+0x78 13 0024f480 77df5882 3c0102ac 00000000 00000009 USER32!DrawTextExWorker+0x250 14 0024f4a4 77df5b68 3c0102ac 0024f69c ffffffff USER32!DrawTextExW+0x1e [...]

0:000> !heap -p -a eax address 03670ffe found in _DPH_HEAP_ROOT @ 3651000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 3651d98: 3670c40 3c0 - 3670000 2000 73388e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77d26206 ntdll!RtlDebugAllocateHeap+0x00000030 77cea127 ntdll!RtlpAllocateHeap+0x000000c4 77cb5950 ntdll!RtlAllocateHeap+0x0000023a 72e0ae6a vrfcore!VfCoreRtlAllocateHeap+0x0000002a 774c6724 USP10!UspAllocCache+0x00000054 774bad00 USP10!GetOtlTables+0x000000d0 774d777f USP10!CheckUpdateFontDescriptor+0x0000002f 774bd8e2 USP10!LoadFont+0x00000542 774b9317 USP10!FindOrCreateFaceCache+0x000000e7 774b9630 USP10!FindOrCreateSizeCacheWithoutRealizationID+0x000000f0 774b99bb USP10!FindOrCreateSizeCacheUsingRealizationID+0x000000bb 774ba528 USP10!UpdateCache+0x00000038 774ba692 USP10!ScriptCheckCache+0x00000062 774b7918 USP10!ScriptStringAnalyse+0x00000198 760a1736 LPK!LpkStringAnalyse+0x000000e5 760a18c1 LPK!LpkCharsetDraw+0x00000332 760a17b4 LPK!LpkDrawTextEx+0x00000040 77df56a9 USER32!DT_DrawStr+0x0000013c 77df5a64 USER32!DT_GetLineBreak+0x00000078 77df580f USER32!DrawTextExWorker+0x00000250 77df5882 USER32!DrawTextExW+0x0000001e 77df5b68 USER32!DrawTextW+0x0000004d [...]

``` The issue reproduces on Windows 7, and could be potentially used to disclose sensitive data from the process heap. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached are 3 proof of concept malformed font files which trigger the crash.