Microsoft Windows - Uniscribe Font Processing Heap-Based Memory Corruption in USP10!MergeLigRecords

2017-03-20T00:00:00
ID 1337DAY-ID-27368
Type zdt
Reporter Google Security Research
Modified 2017-03-20T00:00:00

Description

Exploit for windows platform in category dos / poc

                                        
                                            Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1026&desc=2
 
We have encountered a crash in the Windows Uniscribe user-mode library, in the memcpy() function called by USP10!MergeLigRecords, while trying to display text using a corrupted font file:
 
---
(2bd0.637c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0929a000 ebx=09299fa0 ecx=00000009 edx=00000002 esi=09299fda edi=092b7914
eip=76bc9b60 esp=0015f534 ebp=0015f53c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
msvcrt!memcpy+0x5a:
76bc9b60 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> kb
ChildEBP RetAddr  Args to Child              
0015f53c 751f777d 092b7914 09299fda 00000026 msvcrt!memcpy+0x5a
0015f554 751f74e9 0928ffd0 0928f9d0 0015f5f0 USP10!MergeLigRecords+0x14d
0015f5b4 751f7044 0000001a 09223d88 09233fa8 USP10!LoadTTOArabicShapeTables+0x3f9
0015f5c8 751fc5f4 a60118b0 09223d88 09216124 USP10!LoadArabicShapeTables+0xd4
0015f5e4 751ea5a0 a60118b0 0928f7d0 0000001a USP10!ArabicLoadTbl+0xd4
0015f608 751ea692 09216124 a60118b0 0000001a USP10!UpdateCache+0xb0
0015f61c 751f152d a60118b0 09216000 751f15db USP10!ScriptCheckCache+0x62
0015f628 751f15db 00000001 00000001 092162e8 USP10!GetShapeFunction+0xd
0015f660 751f2b14 00000001 00000000 0015f6e0 USP10!RenderItemNoFallback+0x5b
0015f68c 751f2da2 00000001 00000000 0015f6e0 USP10!RenderItemWithFallback+0x104
0015f6b0 751f4339 00000000 0015f6e0 09216124 USP10!RenderItem+0x22
0015f6f4 751e7a04 000004a0 00000400 a60118b0 USP10!ScriptStringAnalyzeGlyphs+0x1e9
0015f70c 76ca5465 a60118b0 09216040 0000000a USP10!ScriptStringAnalyse+0x284
0015f758 76ca5172 a60118b0 0015fb40 0000000a LPK!LpkStringAnalyse+0xe5
0015f854 76ca1410 a60118b0 00000000 00000000 LPK!LpkCharsetDraw+0x332
0015f888 763c18b0 a60118b0 00000000 00000000 LPK!LpkDrawTextEx+0x40
0015f8c8 763c22bf a60118b0 000000c0 00000000 USER32!DT_DrawStr+0x13c
0015f914 763c21f2 a60118b0 0015fb40 0015fb54 USER32!DT_GetLineBreak+0x78
0015f9c0 763c14d4 a60118b0 00000000 0000000a USER32!DrawTextExWorker+0x255
0015f9e4 763c2475 a60118b0 0015fb40 ffffffff USER32!DrawTextExW+0x1e
0015fa18 010e6a5c a60118b0 0015fb40 ffffffff USER32!DrawTextW+0x4d
[...]
0:000> dd esi
09299fda  03e003df 03df03ea 03df0382 03df0384
09299fea  03df0388 03e0038e 03e00382 03e00384
09299ffa  03e00388 ???????? ???????? ????????
0929a00a  ???????? ???????? ???????? ????????
0929a01a  ???????? ???????? ???????? ????????
0929a02a  ???????? ???????? ???????? ????????
0929a03a  ???????? ???????? ???????? ????????
0929a04a  ???????? ???????? ???????? ????????
0:000> dd edi
092b7914  ???????? ???????? ???????? ????????
092b7924  ???????? ???????? ???????? ????????
092b7934  ???????? ???????? ???????? ????????
092b7944  ???????? ???????? ???????? ????????
092b7954  ???????? ???????? ???????? ????????
092b7964  ???????? ???????? ???????? ????????
092b7974  ???????? ???????? ???????? ????????
092b7984  ???????? ???????? ???????? ????????
---
 
The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
 
Attached is a proof of concept malformed font file which triggers the crash.
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41650.zip

#  0day.today [2018-03-01]  #