Microsoft Windows - Uniscribe Font Processing Heap-Based Memory Corruption in USP10!otlCacheManager:

2017-03-20T00:00:00
ID 1337DAY-ID-27369
Type zdt
Reporter Google Security Research
Modified 2017-03-20T00:00:00

Description

Exploit for windows platform in category dos / poc

                                        
                                            Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1025
 
We have encountered a crash in the Windows Uniscribe user-mode library, in the memset() function called by USP10!otlCacheManager::GlyphsSubstituted, while trying to display text using a corrupted font file:
 
---
(449c.6338): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=092ac250 ebx=092ac230 ecx=00000784 edx=00000074 esi=0028ea6c edi=092affd0
eip=76bc9c8d esp=0028e978 ebp=0028e97c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
msvcrt!_VEC_memcpy+0x116:
76bc9c8d 660f7f4730      movdqa  xmmword ptr [edi+30h],xmm0 ds:002b:092b0000=????????????????????????????????
0:000> kb
ChildEBP RetAddr  Args to Child              
0028e97c 76bc9c39 092ac250 0003ff80 00000006 msvcrt!_VEC_memcpy+0x116
0028e99c 76bc9cde 092ac250 00000000 0003fff4 msvcrt!_VEC_memzero+0x36
0028e9c0 75234b58 092ac248 00000000 0003fffc msvcrt!_VEC_memzero+0x82
0028e9e0 752336a1 0028ed18 00000006 0000ffff USP10!otlCacheManager::GlyphsSubstituted+0xc8
0028ebc0 7522f29f 42555347 0028ed58 0028ece4 USP10!ApplyFeatures+0x541
0028ec0c 7522b083 00000000 092c6ffc 092c6e18 USP10!SubstituteOtlGlyphs+0x1bf
0028ec38 75223921 0028ecb4 0028ed0c 0028ed58 USP10!ShapingLibraryInternal::SubstituteOtlGlyphsWithLanguageFallback+0x23
0028eed0 7521548a 0028efdc 0028f008 0028eff0 USP10!ArabicEngineGetGlyphs+0x891
0028ef90 7521253f 0028efdc 0028f008 0028eff0 USP10!ShapingGetGlyphs+0x36a
0028f078 751e5c6f 2a0123f2 092a6124 092a6318 USP10!ShlShape+0x2ef
0028f0bc 751f167a 2a0123f2 092a6124 092a6318 USP10!ScriptShape+0x15f
0028f11c 751f2b14 00000000 00000000 0028f19c USP10!RenderItemNoFallback+0xfa
0028f148 751f2da2 00000000 00000000 0028f19c USP10!RenderItemWithFallback+0x104
0028f16c 751f4339 00000000 0028f19c 092a6124 USP10!RenderItem+0x22
0028f1b0 751e7a04 000004a0 00000400 2a0123f2 USP10!ScriptStringAnalyzeGlyphs+0x1e9
0028f1c8 76ca5465 2a0123f2 092a6040 0000000a USP10!ScriptStringAnalyse+0x284
0028f214 76ca5172 2a0123f2 0028f5fc 0000000a LPK!LpkStringAnalyse+0xe5
0028f310 76ca1410 2a0123f2 00000000 00000000 LPK!LpkCharsetDraw+0x332
0028f344 763c18b0 2a0123f2 00000000 00000000 LPK!LpkDrawTextEx+0x40
0028f384 763c22bf 2a0123f2 00000070 00000000 USER32!DT_DrawStr+0x13c
0028f3d0 763c21f2 2a0123f2 0028f5fc 0028f610 USER32!DT_GetLineBreak+0x78
0028f47c 763c14d4 2a0123f2 00000000 0000000a USER32!DrawTextExWorker+0x255
0028f4a0 763c2475 2a0123f2 0028f5fc ffffffff USER32!DrawTextExW+0x1e
0028f4d4 01336a5c 2a0123f2 0028f5fc ffffffff USER32!DrawTextW+0x4d
[...]
0:000> dd edi
092affd0  00000000 00000000 00000000 00000000
092affe0  00000000 00000000 00000000 00000000
092afff0  00000000 00000000 00000000 00000000
092b0000  ???????? ???????? ???????? ????????
092b0010  ???????? ???????? ???????? ????????
092b0020  ???????? ???????? ???????? ????????
092b0030  ???????? ???????? ???????? ????????
092b0040  ???????? ???????? ???????? ????????
---
 
The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
 
Attached is an archive with 2 crashing samples.
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41649.zip

#  0day.today [2018-04-10]  #