Microsoft Windows – Uniscribe Font Processing Heap Memory Corruption in ‘USP10!otlCacheManager::GlyphsSubstituted’ (MS17-011)

  • 作者: Google Security Research
    日期: 2017-03-20
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/41649/
  • Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1025
    
    We have encountered a crash in the Windows Uniscribe user-mode library, in the memset() function called by USP10!otlCacheManager::GlyphsSubstituted, while trying to display text using a corrupted font file:
    
    ---
    (449c.6338): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=092ac250 ebx=092ac230 ecx=00000784 edx=00000074 esi=0028ea6c edi=092affd0
    eip=76bc9c8d esp=0028e978 ebp=0028e97c iopl=0 nv up ei pl nz na pe nc
    cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010206
    msvcrt!_VEC_memcpy+0x116:
    76bc9c8d 660f7f4730movdqaxmmword ptr [edi+30h],xmm0 ds:002b:092b0000=????????????????????????????????
    0:000> kb
    ChildEBP RetAddrArgs to Child
    0028e97c 76bc9c39 092ac250 0003ff80 00000006 msvcrt!_VEC_memcpy+0x116
    0028e99c 76bc9cde 092ac250 00000000 0003fff4 msvcrt!_VEC_memzero+0x36
    0028e9c0 75234b58 092ac248 00000000 0003fffc msvcrt!_VEC_memzero+0x82
    0028e9e0 752336a1 0028ed18 00000006 0000ffff USP10!otlCacheManager::GlyphsSubstituted+0xc8
    0028ebc0 7522f29f 42555347 0028ed58 0028ece4 USP10!ApplyFeatures+0x541
    0028ec0c 7522b083 00000000 092c6ffc 092c6e18 USP10!SubstituteOtlGlyphs+0x1bf
    0028ec38 75223921 0028ecb4 0028ed0c 0028ed58 USP10!ShapingLibraryInternal::SubstituteOtlGlyphsWithLanguageFallback+0x23
    0028eed0 7521548a 0028efdc 0028f008 0028eff0 USP10!ArabicEngineGetGlyphs+0x891
    0028ef90 7521253f 0028efdc 0028f008 0028eff0 USP10!ShapingGetGlyphs+0x36a
    0028f078 751e5c6f 2a0123f2 092a6124 092a6318 USP10!ShlShape+0x2ef
    0028f0bc 751f167a 2a0123f2 092a6124 092a6318 USP10!ScriptShape+0x15f
    0028f11c 751f2b14 00000000 00000000 0028f19c USP10!RenderItemNoFallback+0xfa
    0028f148 751f2da2 00000000 00000000 0028f19c USP10!RenderItemWithFallback+0x104
    0028f16c 751f4339 00000000 0028f19c 092a6124 USP10!RenderItem+0x22
    0028f1b0 751e7a04 000004a0 00000400 2a0123f2 USP10!ScriptStringAnalyzeGlyphs+0x1e9
    0028f1c8 76ca5465 2a0123f2 092a6040 0000000a USP10!ScriptStringAnalyse+0x284
    0028f214 76ca5172 2a0123f2 0028f5fc 0000000a LPK!LpkStringAnalyse+0xe5
    0028f310 76ca1410 2a0123f2 00000000 00000000 LPK!LpkCharsetDraw+0x332
    0028f344 763c18b0 2a0123f2 00000000 00000000 LPK!LpkDrawTextEx+0x40
    0028f384 763c22bf 2a0123f2 00000070 00000000 USER32!DT_DrawStr+0x13c
    0028f3d0 763c21f2 2a0123f2 0028f5fc 0028f610 USER32!DT_GetLineBreak+0x78
    0028f47c 763c14d4 2a0123f2 00000000 0000000a USER32!DrawTextExWorker+0x255
    0028f4a0 763c2475 2a0123f2 0028f5fc ffffffff USER32!DrawTextExW+0x1e
    0028f4d4 01336a5c 2a0123f2 0028f5fc ffffffff USER32!DrawTextW+0x4d
    [...]
    0:000> dd edi
    092affd000000000 00000000 00000000 00000000
    092affe000000000 00000000 00000000 00000000
    092afff000000000 00000000 00000000 00000000
    092b0000???????? ???????? ???????? ????????
    092b0010???????? ???????? ???????? ????????
    092b0020???????? ???????? ???????? ????????
    092b0030???????? ???????? ???????? ????????
    092b0040???????? ???????? ???????? ????????
    ---
    
    The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
    
    Attached is an archive with 2 crashing samples.
    
    
    Proof of Concept:
    https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41649.zip