Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtGoogle Security Research1337DAY-ID-32562
HistoryApr 17, 2019 - 12:00 a.m.

Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator

2019-04-1700:00:00
Google Security Research
0day.today
70

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

83.9%

JSON
Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID

A heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash:

--- cut ---
  $ bin/java -cp . DisplaySfntFont test.ttf
  Iteration (0,0)
  #
  # A fatal error has been detected by the Java Runtime Environment:
  #
  #  SIGSEGV (0xb) at pc=0x00007f7285b39824, pid=234398, tid=0x00007f7286683700
  #
  # JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08)
  # Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops)
  # Problematic frame:
  # C  [libc.so.6+0x77824]# [ timer expired, abort... ]
  Aborted
--- cut ---

The crash reproduces on both Windows and Linux platforms. On Linux, it can be also triggered with the MALLOC_CHECK_=3 environment variable:

--- cut ---
  $ MALLOC_CHECK_=3 bin/java -cp . DisplaySfntFont test.ttf
  Iteration (0,0)
  *** Error in `bin/java': free(): invalid pointer: 0x0000000002876320 ***
  ======= Backtrace: =========
  /lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f84185edbcb]
  /lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f84185f3f96]
  jre/8u202/lib/amd64/libfontmanager.so(+0x1d2b2)[0x7f83ddc672b2]
  jre/8u202/lib/amd64/libfontmanager.so(+0x27ff4)[0x7f83ddc71ff4]
  jre/8u202/lib/amd64/libfontmanager.so(+0x866f)[0x7f83ddc5266f]
  jre/8u202/lib/amd64/libfontmanager.so(Java_sun_font_SunLayoutEngine_nativeLayout+0x230)[0x7f83ddc78990]
  [0x7f84076306c7]
  ======= Memory map: ========
  00400000-00401000 r-xp 00000000 fe:01 20840680                           jre/8u202/bin/java
  00600000-00601000 r--p 00000000 fe:01 20840680                           jre/8u202/bin/java
  00601000-00602000 rw-p 00001000 fe:01 20840680                           jre/8u202/bin/java
  023ba000-028d9000 rw-p 00000000 00:00 0                                  [heap]
  3d1a00000-3fba00000 rw-p 00000000 00:00 0
  3fba00000-670900000 ---p 00000000 00:00 0
  670900000-685900000 rw-p 00000000 00:00 0
  685900000-7c0000000 ---p 00000000 00:00 0
  7c0000000-7c00c0000 rw-p 00000000 00:00 0
  7c00c0000-800000000 ---p 00000000 00:00 0
  [...]
--- cut ---

... under Valgrind:

--- cut ---
  $ valgrind bin/java -cp . DisplaySfntFont test.ttf
  [...]
  ==245623== Invalid write of size 2
  ==245623==    at 0x40BF2750: GlyphIterator::setCurrGlyphID(unsigned short) (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40C0C089: SingleSubstitutionFormat1Subtable::process(LEReferenceTo<SingleSubstitutionFormat1Subtable> const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40C0C4A4: SingleSubstitutionSubtable::process(LEReferenceTo<SingleSubstitutionSubtable> const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40BF47E5: GlyphSubstitutionLookupProcessor::applySubtable(LEReferenceTo<LookupSubtable> const&, unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const [clone .part.11] (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40C01DCE: LookupProcessor::applyLookupTable(LEReferenceTo<LookupTable> const&, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40C02FBA: LookupProcessor::applySingleLookup(unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40BEBC9C: ContextualSubstitutionBase::applySubstitutionLookups(LookupProcessor const*, LEReferenceToArrayOf<SubstitutionLookupRecord> const&, unsigned short, GlyphIterator*, LEFontInstance const*, int, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40BEE766: ChainingContextualSubstitutionFormat3Subtable::process(LETableReference const&, LookupProcessor const*, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40BEE8E3: ChainingContextualSubstitutionSubtable::process(LEReferenceTo<ChainingContextualSubstitutionSubtable> const&, LookupProcessor const*, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40BF475B: GlyphSubstitutionLookupProcessor::applySubtable(LEReferenceTo<LookupSubtable> const&, unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const [clone .part.11] (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40C01DCE: LookupProcessor::applyLookupTable(LEReferenceTo<LookupTable> const&, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40C02EAB: LookupProcessor::process(LEGlyphStorage&, GlyphPositionAdjustments*, char, LEReferenceTo<GlyphDefinitionTableHeader> const&, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==  Address 0x3f68a55c is 4 bytes before a block of size 104 alloc'd
  ==245623==    at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
  ==245623==    by 0x40BFD4CF: LEGlyphStorage::allocateGlyphArray(int, char, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40BE875A: ArabicOpenTypeLayoutEngine::characterProcessing(unsigned short const*, int, int, int, char, unsigned short*&, LEGlyphStorage&, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40C0815F: OpenTypeLayoutEngine::computeGlyphs(unsigned short const*, int, int, int, char, LEGlyphStorage&, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40BFE55D: LayoutEngine::layoutChars(unsigned short const*, int, int, int, char, float, float, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
  ==245623==    by 0x40C0E91F: Java_sun_font_SunLayoutEngine_nativeLayout (in jre/8u202/lib/amd64/libfontmanager.so)
  [...]
--- cut ---

or with AFL's libdislocator under gdb:

--- cut ---
Continuing.
  Iteration (0,0)
  *** [AFL] bad allocator canary on free() ***

  Thread 2 "java" received signal SIGABRT, Aborted.
  [...]
  Stopped reason: SIGABRT
  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
  51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
  gdb$ where
  #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
  #1  0x00007ffff72313fa in __GI_abort () at abort.c:89
  #2  0x00007ffff7bd651c in free () from libdislocator/libdislocator.so
  #3  0x00007fffb892f2b2 in LEGlyphStorage::reset() () from jre/8u202/lib/amd64/libfontmanager.so
  #4  0x00007fffb8939ff4 in OpenTypeLayoutEngine::~OpenTypeLayoutEngine() ()
     from jre/8u202/lib/amd64/libfontmanager.so
  #5  0x00007fffb891a66f in ArabicOpenTypeLayoutEngine::~ArabicOpenTypeLayoutEngine() ()
     from jre/8u202/lib/amd64/libfontmanager.so
  #6  0x00007fffb8940990 in Java_sun_font_SunLayoutEngine_nativeLayout ()
     from jre/8u202/lib/amd64/libfontmanager.so
  #7  0x00007fffe5e376c7 in ?? ()
  #8  0x0000000000000000 in ?? ()
--- cut ---

On Windows, the crash also reliably reproduces with PageHeap enabled for the java.exe process:

--- cut ---
  (1184.4c60): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  fontmanager!Java_sun_java2d_loops_DrawGlyphListLCD_DrawGlyphListLCD+0x14bf:
  00007ffa`0d6291bf 428124810000ffff and     dword ptr [rcx+r8*4],0FFFF0000h ds:00000000`39663ffc=????????
--- cut ---

We have encountered crashes in the libfontmanager!GlyphIterator::setCurrGlyphID function while trying to write before and after a heap allocation. Attached with this report are two mutated testcases (for the buffer under- and overflow), and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46723.zip

Related

redhatcve 1
ubuntucve 1
prion 1
cve 1
alpinelinux 1
debiancve 1
veracode 1
openvas 28
nessus 59
oraclelinux 5
debian 2
redhat 11
amazon 4
centos 4
osv 2
mageia 1
ibm 33
suse 3
f5 1
ubuntu 1
aix 1
kaspersky 1
photon 5
gentoo 1
altlinux 1
oracle 1
redhatcve
redhatcve
CVE-2019-2698
2020-01-12 15:34:12
ubuntucve
ubuntucve
CVE-2019-2698
2019-04-23 00:00:00
prion
prion
Design/Logic Flaw
2019-04-23 19:32:00
cve
cve
CVE-2019-2698
2019-04-23 19:32:00
alpinelinux
alpinelinux
CVE-2019-2698
2019-04-23 19:32:00
debiancve
debiancve
CVE-2019-2698
2019-04-23 19:32:00
veracode
veracode
Arbitrary Code Execution
2019-05-16 04:17:27
openvas
openvas
Huawei EulerOS: Security Advisory for java-1.7.0-openjdk (EulerOS-SA-2019-1584)
2020-01-23 00:00:00
Oracle Java SE Security Updates (apr2019-5072813) 02 - Windows
2019-04-18 00:00:00
Oracle Java SE Security Updates (apr2019-5072813) 02 - Linux
2019-04-18 00:00:00
nessus
nessus
EulerOS 2.0 SP5 : java-1.7.0-openjdk (EulerOS-SA-2019-1584)
2019-05-29 00:00:00
NewStart CGSL MAIN 4.05 : java-1.7.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0154)
2019-08-12 00:00:00
RHEL 6 : java-1.7.0-openjdk (RHSA-2019:0790)
2019-04-23 00:00:00
oraclelinux
oraclelinux
java-1.8.0-openjdk security update
2019-07-30 00:00:00
java-1.8.0-openjdk security and bug fix update
2019-04-17 00:00:00
java-1.7.0-openjdk security update
2019-04-22 00:00:00
debian
debian
[SECURITY] [DLA 1782-1] openjdk-7 security update
2019-05-10 16:39:02
[SECURITY] [DSA 4453-1] openjdk-8 security update
2019-05-29 21:15:56
redhat
redhat
(RHSA-2019:0791) Important: java-1.7.0-openjdk security update
2019-04-22 13:42:43
(RHSA-2019:0774) Important: java-1.8.0-openjdk security and bug fix update
2019-04-17 14:49:38
(RHSA-2019:0775) Important: java-1.8.0-openjdk security update
2019-04-17 14:49:45
amazon
amazon
Important: java-1.8.0-openjdk
2019-08-07 23:35:00
Important: java-1.7.0-openjdk
2019-05-16 21:42:00
Important: java-11-amazon-corretto
2019-06-11 23:21:00
centos
centos
java security update
2019-04-19 18:51:58
java security update
2019-04-19 18:53:44
java security update
2019-04-22 22:47:39
osv
osv
openjdk-7 - security update
2019-05-10 00:00:00
openjdk-8 - security update
2019-05-29 00:00:00
mageia
mageia
Updated java-1.8.0-openjdk packages fix security vulnerability
2019-05-08 00:38:09
ibm
ibm
Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud April 2019 CPU
2019-06-12 17:05:02
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus, IBM App Connect Enterpise v11 and WebSphere Message Broker
2020-03-23 20:41:52
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affecting Rational Functional Tester
2019-09-11 10:21:35
suse
suse
Security update for java-1_8_0-openjdk (important)
2019-05-23 00:00:00
Security update for java-1_7_0-openjdk (moderate)
2019-06-03 00:00:00
Security update for java-1_8_0-openjdk (important)
2019-05-23 00:00:00
f5
f5
K07519400 : Java SE vulnerabilities CVE-2019-2602, CVE-2019-2698, CVE-2019-2945, and CVE-2019-2962
2022-06-10 00:00:00
ubuntu
ubuntu
OpenJDK vulnerabilities
2019-05-13 00:00:00
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2019-06-28 13:47:27
kaspersky
kaspersky
KLA11470 Multiple vulnerabilities in Oracle Java SE
2019-04-16 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2019-0232
2019-05-09 00:00:00
Critical Photon OS Security Update - PHSA-2019-0014
2019-05-11 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2019-2.0-0159
2019-05-10 00:00:00
gentoo
gentoo
Oracle JDK/JRE: Multiple vulnerabilities
2019-08-15 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package java-11-openjdk version 0:11.0.12.7-alt1_0jpp10
2021-08-25 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - April 2019
2019-04-16 00:00:00

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

83.9%

JSON
Related for 1337DAY-ID-32562
redhatcve1ubuntucve1prion1cve1alpinelinux1debiancve1veracode1openvas28nessus59oraclelinux5debian2redhat11amazon4centos4osv2mageia1ibm33suse3f51ubuntu1aix1kaspersky1photon5gentoo1altlinux1oracle1