Menu

Improved exploit search engine. Try it out

"Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour"

Author

"Google Security Research"

Platform

java

Release date

2019-02-18

Release Date Title Type Platform Author
2019-05-21 "Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution" webapps java "Jakub Palaczynski"
2019-05-21 "Oracle CTI Web Service - 'EBS_ASSET_HISTORY_OPERATIONS' XML Entity Injection" webapps java omurugur
2019-04-30 "Spring Cloud Config 2.1.x - Path Traversal (Metasploit)" webapps java "Dhiraj Mishra"
2019-04-26 "Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting" webapps java "Dhiraj Mishra"
2019-04-08 "ManageEngine ServiceDesk Plus 9.3 - User Enumeration" webapps java "Alexander Bluestein"
2019-03-19 "Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)" remote java Metasploit
2016-12-20 "Java Debug Wire Protocol (JDWP) - Remote Code Execution" remote java IOactive
2019-02-25 "Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution" webapps java wetw0rk
2019-02-19 "Jenkins - Remote Code Execution" webapps java orange
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour" dos java "Google Security Research"
2019-02-05 "OpenMRS Platform < 2.24.0 - Insecure Object Deserialization" webapps java "Bishop Fox"
2019-01-28 "Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting" webapps java "Ishaq Mohammed"
2018-11-30 "Apache Spark - Unauthenticated Command Execution (Metasploit)" remote java Metasploit
2018-11-14 "Atlassian Jira - Authenticated Upload Code Execution (Metasploit)" remote java Metasploit
2018-10-24 "Apache OFBiz 16.11.04 - XML External Entity Injection" webapps java "Jamie Parfet"
2018-10-22 "Oracle Siebel CRM 8.1.1 - CSV Injection" webapps java "Sarath Nair"
2018-10-01 "ManageEngine AssetExplorer 6.2.0 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
2018-10-01 "H2 Database 1.4.196 - Remote Code Execution" webapps java h4ckNinja
2018-09-27 "ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
2018-08-06 "Wavemaker Studio 6.6 - Server-Side Request Forgery" webapps java "Gionathan Reale"
2018-08-06 "LAMS < 3.1 - Cross-Site Scripting" webapps java "Nikola Kojic"
2018-07-16 "Fortify Software Security Center (SSC) 17.x/18.1 - XML External Entity Injection" webapps java alt3kx
2018-07-04 "ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution" webapps java "Kacper Szurek"
2018-06-20 "MaDDash 2.0.2 - Directory Listing" webapps java ManhNho
2018-06-26 "Liferay Portal < 7.0.4 - Server-Side Request Forgery" webapps java "Mehmet Ince"
2018-06-04 "SearchBlox 8.6.7 - XML External Entity Injection" webapps java "Ahmet Gurel"
2018-05-30 "SearchBlox 8.6.6 - Cross-Site Request Forgery" webapps java "Ahmet Gurel"
Release Date Title Type Platform Author
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-23 "Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free" dos ios "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free" dos multiple "Google Security Research"
2019-05-13 "Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write" dos multiple "Google Security Research"
2019-04-30 "Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification" dos linux "Google Security Research"
2019-04-26 "systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process" dos linux "Google Security Research"
2019-04-24 "Google Chrome 72.0.3626.121 / 74.0.3725.0 - 'NewFixedDoubleArray' Integer Overflow" remote multiple "Google Security Research"
2019-04-24 "VirtualBox 6.0.4 r128413 - COM RPC Interface Code Injection Host Privilege Escalation" local windows "Google Security Research"
2019-04-23 "Linux - 'page->_refcount' Overflow via FUSE" dos linux "Google Security Research"
2019-04-23 "Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition" dos linux "Google Security Research"
2019-04-23 "systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit" dos linux "Google Security Research"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID" dos multiple "Google Security Research"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4" dos multiple "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV NtSetCachedSigningLevel Device Guard Bypass" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 / 1709 - CSRSS SxSSrv Cached Manifest Privilege Escalation" local windows "Google Security Research"
2019-04-03 "Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion" remote multiple "Google Security Research"
2019-04-03 "Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion" dos multiple "Google Security Research"
2019-04-03 "Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion" dos multiple "Google Security Research"
2019-04-03 "WebKitGTK+ - 'ThreadedCompositor' Race Condition" dos multiple "Google Security Research"
2019-04-03 "WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free" dos multiple "Google Security Research"
2019-04-03 "WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check" dos multiple "Google Security Research"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46409/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46409/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46409/40859/oracle-java-runtime-environment-heap-out-of-bounds-read-during-otf-font-rendering-in-glyph_closecontour/download/", "exploit_id": "46409", "exploit_description": "\"Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour\"", "exploit_date": "2019-02-18", "exploit_author": "\"Google Security Research\"", "exploit_type": "dos", "exploit_platform": "java", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of OpenType fonts. It manifests itself in the form of the following crash (with AFL's libdislocator):

--- cut ---
gdb$ c
  Continuing.
  Iteration (0,0)

  Thread 2 "java" received signal SIGSEGV, Segmentation fault.
  [----------------------------------registers-----------------------------------]
  RAX: 0x6d1a
  RBX: 0x7fffb5d94f48 --> 0x7fffb6319f00 --> 0x53ab1500ff
  RCX: 0xffffffffffff0000
  RDX: 0x7fff28fbdfe6 --> 0x2a001d00100003
  RSI: 0x7fff28fadfe8 --> 0x1e001100040000
  [...]
  [-------------------------------------code-------------------------------------]
     0x7fffb6395564 <glyph_CloseContour+148>:     mov    rsi,QWORD PTR [rbx+0x20]
     0x7fffb6395568 <glyph_CloseContour+152>:     add    rcx,rcx
     0x7fffb639556b <glyph_CloseContour+155>:     lea    rdi,[rdx+rcx*1-0x2]
  => 0x7fffb6395570 <glyph_CloseContour+160>:     movsx  rsi,WORD PTR [rsi+rcx*1-0x2]
     0x7fffb6395576 <glyph_CloseContour+166>:     mov    rdx,QWORD PTR [rbx+0x30]
     0x7fffb639557a <glyph_CloseContour+170>:     movsx  rcx,WORD PTR [rdi]
     0x7fffb639557e <glyph_CloseContour+174>:     movzx  r8d,WORD PTR [rdx+rcx*2]
     0x7fffb6395583 <glyph_CloseContour+179>:     cmp    WORD PTR [rdx+rsi*2],r8w
  [...]
  Stopped reason: SIGSEGV
  0x00007fffb6395570 in glyph_CloseContour () from jre/8u202/lib/amd64/libt2k.so

  gdb-peda$ where
  #0  0x00007fffb6395570 in glyph_CloseContour () from jre/8u202/lib/amd64/libt2k.so
  #1  0x00007fffb63ad71c in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
  #2  0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
  #3  0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
  #4  0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
  #5  0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
  #6  0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
  #7  0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
  #8  0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
  #9  0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
  #10 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
  #11 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
  #12 0x00007fffb63b469c in tsi_T2GetGlyphByIndex () from jre/8u202/lib/amd64/libt2k.so
  #13 0x00007fffb63b5655 in tsi_NewCFFClass () from jre/8u202/lib/amd64/libt2k.so
  #14 0x00007fffb63c73c8 in New_sfntClassLogical () from jre/8u202/lib/amd64/libt2k.so
  #15 0x00007fffb63a43e3 in Java_sun_font_T2KFontScaler_initNativeScaler () from jre/8u202/lib/amd64/libt2k.so
  #16 0x00007fffe5e376c7 in ?? ()
  #17 0x00007fff0003ccc0 in ?? ()
  #18 0x0000000000000000 in ?? ()
--- cut ---

The crash reproduces on both Windows and Linux platforms. On Windows, the crash can be observed with PageHeap enabled for the java.exe process:

--- cut ---
  (5f34.5d1c): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  t2k+0xfbec:
  00007ffa`0b4cfbec 4e0fbf4c50fe    movsx   r9,word ptr [rax+r10*2-2] ds:00000000`39c44ffe=????
  0:004> k
   # Child-SP          RetAddr           Call Site
  00 00000000`0d82de70 00007ffa`0b4e0c0d t2k+0xfbec
  01 00000000`0d82dea0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x5305
  02 00000000`0d82df20 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
  03 00000000`0d82dfa0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
  04 00000000`0d82e020 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
  05 00000000`0d82e0a0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
  06 00000000`0d82e120 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
  07 00000000`0d82e1a0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
  08 00000000`0d82e220 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
  09 00000000`0d82e2a0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
  0a 00000000`0d82e320 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
  0b 00000000`0d82e3a0 00007ffa`0b4e3dd1 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
  0c 00000000`0d82e420 00007ffa`0b4e4108 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x84c9
  0d 00000000`0d82e460 00007ffa`0b4e47e4 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x8800
  0e 00000000`0d82e4b0 00007ffa`0b4f07c5 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x8edc
  0f 00000000`0d82e500 00007ffa`0b4f0b11 t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x72c9
  10 00000000`0d82e560 00007ffa`0b4d9ef6 t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x7615
  11 00000000`0d82e5e0 00000000`0f928d27 t2k!Java_sun_font_T2KFontScaler_initNativeScaler+0x2c2
  12 00000000`0d82e650 00000000`2ad8f228 0xf928d27
  13 00000000`0d82e658 00000000`b0063339 0x2ad8f228
  14 00000000`0d82e660 00000000`0d82e730 0xb0063339
  15 00000000`0d82e668 00000000`b006f271 0xd82e730
  16 00000000`0d82e670 00000000`00000000 0xb006f271
  0:004> ? rax
  Evaluate expression: 969232384 = 00000000`39c55000
  0:004> ? r10
  Evaluate expression: -32768 = ffffffff`ffff8000
--- cut ---

Attached with this report are three mutated testcases, and a simple Java program used to reproduce the vulnerability by loading OpenType fonts specified through a command-line parameter.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46409.zip