Microsoft directwrite invalid read in splicepixel while processing otf fonts Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2019-09-12 |
Type : dos |
Platform : windows
This exploit / vulnerability Microsoft directwrite invalid read in splicepixel while processing otf fonts is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
Microsoft DirectWrite is a modern Windows API for high-quality text rendering. A majority of its code resides in the DWrite.dll user-mode library. It is used by a variety of widely used desktop programs (such as the Chrome, Firefox and Edge browsers) and constitutes an attack surface for memory corruption bugs, as it performs the processing of untrusted font files and is written in C/C++.
Through fuzzing, we have discovered a crash caused by an invalid memory read in DWrite!SplicePixel, while rasterizing the glyphs of a slightly malformed OpenType font. The problem reproduces in all major browsers; below is a crash log from the Microsoft Edge renderer process, generated when trying to open a web page with the proof-of-concept font embedded:
--- cut ---
(281c.25d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
DWrite!SplicePixel+0x14b:
00007fff`b8634473 488b14f0 mov rdx,qword ptr [rax+rsi*8] ds:00000227`c62d95b0=????????????????
We have minimized the test case to a single-byte difference in relation to the original file. When decompiled with the "ttx" utility from the fontTools package, the difference becomes obvious: it's a change of one of the FontMatrix values inside the CFF table.
The issue reproduces on a fully updated Windows 7 and Windows 10 1709; we haven't tested other versions of the system. It could be potentially used to disclose sensitive data from the process address space. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are the minimized PoC font, original font, an HTML file to reproduce the bug in a browser, and 3 extra non-minimized samples which also trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47381.zip
Microsoft directwrite invalid read in splicepixel while processing otf fonts