Windows win32k.sys TTF Font Processing win32k!fsc_BLTHoriz Out-of-Bounds Pool Write Exploit

ID 1337DAY-ID-24120
Type zdt
Reporter Google Security Research
Modified 2015-08-22T00:00:00


Exploit for windows platform in category dos / poc

We have encountered a Windows kernel crash in the win32k!fsc_BLTHoriz function while processing corrupted TTF font files, such as:
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arg1: fbde5000, memory referenced
Arg2: 00000001, value 0 = read operation, 1 = write operation
Arg3: 8209f076, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)
Debugging Details:
Could not read faulting driver name
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 8279284c
Unable to read MiSystemVaType memory at 82771f00
8209f076 0908            or      dword ptr [eax],ecx
PROCESS_NAME:  csrss.exe
LAST_CONTROL_TRANSFER:  from 8209c56b to 8209f076
8943f600 8209c56b fbde4fe0 000000d8 8943f6b8 win32k!fsc_BLTHoriz+0x37
8943f638 820b45f5 fbde4fe0 00000002 fffffffe win32k!fsc_FillBitMap+0xe7
8943f698 820b3eb2 ff6df874 50000061 00000002 win32k!fsc_FillGlyph+0x45e
8943f6e8 820b9ca7 ff6df010 ff6df07c fbc74f24 win32k!fs_ContourScan+0x55d
8943f82c 820aec63 00000014 0000007f 8943f918 win32k!lGetGlyphBitmap+0x179
8943f850 820aeab6 00000000 00000001 0000007f win32k!ttfdQueryFontData+0x158
8943f8a0 820adce2 ff7af010 fbc74cf0 00000001 win32k!ttfdSemQueryFontData+0x45
8943f8e8 820b3774 ff7af010 fbc74cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
8943f960 8212bc8d 8943fc3c fc5e4bd4 ff6d57e8 win32k!xInsertMetricsPlusRFONTOBJ+0x120
8943f990 820a594d 00000008 ff7bf030 8943fcd6 win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x179
8943f9c8 8212b78b 8943fc1c 8943fc3c 00000008 win32k!ESTROBJ::vCharPos_H3+0xf0
8943fa0c 820a55d0 8943fcd0 00000008 8943fc1c win32k!ESTROBJ::vInit+0x268
8943fc2c 820a5793 00000000 8943fcd0 fbc74cf0 win32k!GreGetTextExtentExW+0x12a
8943fd0c 82665896 030102cd 00710bb0 00000008 win32k!NtGdiGetTextExtentExW+0x141
8943fd0c 773f70f4 030102cd 00710bb0 00000008 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0027f6cc 00000000 00000000 00000000 00000000 0x773f70f4
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "fpgm", "hmtx" and "maxp" tables.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation in win32k!fsc_RemoveDups or another location in kernel space. Interestingly, the crash occurs in different win32k.sys functions depending on the operating system:
Windows 7 32-bit: win32k!fsc_BLTHoriz
Windows 7 64-bit: win32k!fsc_MeasureGlyph
Windows 8 32-bit: win32k!fsg_CopyFontProgramResults
In order to reproduce the problem with the provided sample, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is a proof of concept font file together with the corresponding kernel crash log.
Proof of Concept:

# [2018-04-11]  #