Microsoft Windows – Uniscribe Font Processing Heap Buffer Overflow in ‘USP10!ttoGetTableData’ (MS17-011)

• Exploit Database
• 117 阅读

• 作者： Google Security Research
  日期： 2017-03-20
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/41651/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89

  Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1027   We have encountered a crash in the Windows Uniscribe user-mode library, in an unnamed function called by USP10!ttoGetTableData, while trying to display text using a corrupted font file:   --- (46ac.5f40): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0945afce ebx=00000100 ecx=09463000 edx=00000004 esi=0945afba edi=0946006b eip=75202dae esp=0059f634 ebp=0059f668 iopl=0 nv up ei pl nz na po nc cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010202 USP10!ttoGetTableData+0xc4e: 75202dae 668939mov word ptr [ecx],dids:002b:09463000=???? 0:000> kb ChildEBP RetAddrArgs to Child 0059f668 75202bf8 0945af96 09462fb8 0059f688 USP10!ttoGetTableData+0xc4e 0059f690 752021b1 09462fb8 09462fb8 0945ad42 USP10!ttoGetTableData+0xa98 0059f6a4 751f7274 09458fd0 094589d0 0059f734 USP10!ttoGetTableData+0x51 0059f704 751f7044 0000001a 093f3d88 09401fa8 USP10!LoadTTOArabicShapeTables+0x184 0059f718 751fc638 51010f6c 093f3d88 0059f744 USP10!LoadArabicShapeTables+0xd4 0059f728 751fc5c8 51010f6c 094587d0 093e6124 USP10!ArabicSimpleLoadTbl+0x28 0059f744 751ea5a0 51010f6c 751e5348 0000001a USP10!ArabicLoadTbl+0xa8 0059f76c 751ea692 093e6124 51010f6c 0000001a USP10!UpdateCache+0xb0 0059f780 751f152d 51010f6c 093e6000 751f15db USP10!ScriptCheckCache+0x62 0059f78c 751f15db 00000001 00000001 00000000 USP10!GetShapeFunction+0xd 0059f7c4 751f2b14 00000001 00000001 0059f844 USP10!RenderItemNoFallback+0x5b 0059f7f0 751f2da2 00000001 00000001 0059f844 USP10!RenderItemWithFallback+0x104 0059f814 751f4339 00000001 0059f844 093e6124 USP10!RenderItem+0x22 0059f858 751e7a04 000004a0 00000400 51010f6c USP10!ScriptStringAnalyzeGlyphs+0x1e9 0059f870 76ca5465 51010f6c 093e6040 0000000a USP10!ScriptStringAnalyse+0x284 0059f8bc 76ca5172 51010f6c 0059fca4 0000000a LPK!LpkStringAnalyse+0xe5 0059f9b8 76ca1410 51010f6c 00000000 00000000 LPK!LpkCharsetDraw+0x332 0059f9ec 763c18b0 51010f6c 00000000 00000000 LPK!LpkDrawTextEx+0x40 0059fa2c 763c22bf 51010f6c 00000070 00000000 USER32!DT_DrawStr+0x13c 0059fa78 763c21f2 51010f6c 0059fca4 0059fcb8 USER32!DT_GetLineBreak+0x78 0059fb24 763c14d4 51010f6c 00000000 0000000a USER32!DrawTextExWorker+0x255 0059fb48 763c2475 51010f6c 0059fca4 ffffffff USER32!DrawTextExW+0x1e 0059fb7c 00336a5c 51010f6c 0059fca4 ffffffff USER32!DrawTextW+0x4d [...] 0:000> dd ecx 09463000???????? ???????? ???????? ???????? 09463010???????? ???????? ???????? ???????? 09463020???????? ???????? ???????? ???????? 09463030???????? ???????? ???????? ???????? 09463040???????? ???????? ???????? ???????? 09463050???????? ???????? ???????? ???????? 09463060???????? ???????? ???????? ???????? 09463070???????? ???????? ???????? ???????? 0:000> !heap -p -a ecx address 09463000 found in _DPH_HEAP_ROOT @ 93e1000 in busy allocation (DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 93e2fa4:9462fb8 48 -9462000 2000 5e3e8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77580f3e ntdll!RtlDebugAllocateHeap+0x00000030 7753ab47 ntdll!RtlpAllocateHeap+0x000000c4 774e3431 ntdll!RtlAllocateHeap+0x0000023a 5fcca792 vrfcore!VfCoreRtlAllocateHeap+0x00000016 751f6644 USP10!UspAllocCache+0x00000054 751f725b USP10!LoadTTOArabicShapeTables+0x0000016b 751f7044 USP10!LoadArabicShapeTables+0x000000d4 751fc638 USP10!ArabicSimpleLoadTbl+0x00000028 751fc5c8 USP10!ArabicLoadTbl+0x000000a8 751ea5a0 USP10!UpdateCache+0x000000b0 751ea692 USP10!ScriptCheckCache+0x00000062 751f152d USP10!GetShapeFunction+0x0000000d 751f2b14 USP10!RenderItemWithFallback+0x00000104 751f2da2 USP10!RenderItem+0x00000022 751f4339 USP10!ScriptStringAnalyzeGlyphs+0x000001e9 751e7a04 USP10!ScriptStringAnalyse+0x00000284 76ca5465 LPK!LpkStringAnalyse+0x000000e5 76ca5172 LPK!LpkCharsetDraw+0x00000332 76ca1410 LPK!LpkDrawTextEx+0x00000040 763c18b0 USER32!DT_DrawStr+0x0000013c 763c22bf USER32!DT_GetLineBreak+0x00000078 763c21f2 USER32!DrawTextExWorker+0x00000255 763c14d4 USER32!DrawTextExW+0x0000001e 763c2475 USER32!DrawTextW+0x0000004d [...] ---   The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.   Attached is an archive with 3 crashing samples.     Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41651.zip