Oracle java runtime environment heap outofbounds read during ttf font rendering in alternatesubstitutionsubtable::process Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2019-02-18 |
Type : dos |
Platform : java
[+] Code ...
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash:
--- cut ---
$ bin/java -cp . DisplaySfntFont test.ttf
Iteration (0,0)
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f42e9a30f79, pid=43119, tid=0x00007f431d7fc700
#
# JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# C [libfontmanager.so+0x7f79] AlternateSubstitutionSubtable::process(LEReferenceTo<AlternateSubstitutionSubtable> const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const+0xe9
#
# Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# jre/8u202/hs_err_pid43119.log
#
# If you would like to submit a bug report, please visit:
# http://bugreport.java.com/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#
Aborted
--- cut ---
Under gdb, we can find out that the AlternateSubstitutionSubtable::process function attempts to access an invalid memory region:
The crash reproduces on both Windows and Linux platforms. On Windows, the crash manifests in the following way:
--- cut ---
(5ae8.5c58): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
fontmanager+0x11a9:
00007ffa`0d6211a9 0fb74c4306 movzx ecx,word ptr [rbx+rax*2+6] ds:00000000`4484a028=????
0:004> ? rbx
Evaluate expression: 1149476694 = 00000000`44839f56
0:004> ? rax
Evaluate expression: 32870 = 00000000`00008066
--- cut ---
Attached with this report is the mutated testcase, and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46412.zip
Oracle java runtime environment heap outofbounds read during ttf font rendering in alternatesubstitutionsubtable::process