Menu

Improved exploit search engine. Try python and hit enter

"Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions"

Author

"Google Security Research"

Platform

java

Release date

2019-02-18

Release Date Title Type Platform Author
2016-12-20 "Java Debug Wire Protocol (JDWP) - Remote Code Execution" remote java IOactive
2019-02-25 "Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution" webapps java wetw0rk
2019-02-19 "Jenkins - Remote Code Execution" webapps java orange
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour" dos java "Google Security Research"
2019-02-05 "OpenMRS Platform < 2.24.0 - Insecure Object Deserialization" webapps java "Bishop Fox"
2019-01-28 "Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting" webapps java "Ishaq Mohammed"
2018-11-30 "Apache Spark - Unauthenticated Command Execution (Metasploit)" remote java Metasploit
2018-11-14 "Atlassian Jira - Authenticated Upload Code Execution (Metasploit)" remote java Metasploit
2018-10-24 "Apache OFBiz 16.11.04 - XML External Entity Injection" webapps java "Jamie Parfet"
2018-10-22 "Oracle Siebel CRM 8.1.1 - CSV Injection" webapps java "Sarath Nair"
2018-10-01 "ManageEngine AssetExplorer 6.2.0 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
2018-10-01 "H2 Database 1.4.196 - Remote Code Execution" webapps java h4ckNinja
2018-09-27 "ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
2018-08-06 "Wavemaker Studio 6.6 - Server-Side Request Forgery" webapps java "Gionathan Reale"
2018-08-06 "LAMS < 3.1 - Cross-Site Scripting" webapps java "Nikola Kojic"
2018-07-16 "Fortify Software Security Center (SSC) 17.x/18.1 - XML External Entity Injection" webapps java alt3kx
2018-07-04 "ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution" webapps java "Kacper Szurek"
2018-06-20 "MaDDash 2.0.2 - Directory Listing" webapps java ManhNho
2018-06-26 "Liferay Portal < 7.0.4 - Server-Side Request Forgery" webapps java "Mehmet Ince"
2018-06-04 "SearchBlox 8.6.7 - XML External Entity Injection" webapps java "Ahmet Gurel"
2018-05-30 "SearchBlox 8.6.6 - Cross-Site Request Forgery" webapps java "Ahmet Gurel"
2018-05-22 "ERPnext 11 - Cross-Site Scripting" webapps java "Veerababu Penugonda"
2018-05-21 "ManageEngine Recovery Manager Plus 5.3 - Cross-Site Scripting" webapps java "Ahmet Gurel"
2018-05-21 "GitBucket 4.23.1 - Remote Code Execution" webapps java "Kacper Szurek"
2018-05-16 "RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting" webapps java "SEC Consult"
2018-05-10 "ModbusPal 1.6b - XML External Entity Injection" webapps java "Trent Gordon"
2018-04-24 "WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting" webapps java "SEC Consult"
Release Date Title Type Platform Author
2019-03-06 "Android - getpidcon() Usage in Hardware binder ServiceManager Permits ACL Bypass" dos android "Google Security Research"
2019-03-06 "Android - binder Use-After-Free via racy Initialization of ->allow_user_free" dos android "Google Security Research"
2019-03-06 "Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem" dos linux "Google Security Research"
2019-03-01 "macOS XNU - Copy-on-Write Behavior Bypass via Mount of User-Owned Filesystem Image" dos macos "Google Security Research"
2019-03-01 "Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module" dos linux "Google Security Research"
2019-03-01 "tcpdump < 4.9.3 - Multiple Heap-Based Out-of-Bounds Reads" dos multiple "Google Security Research"
2019-03-01 "Google Chrome < M72 - FileWriterImpl Use-After-Free" dos multiple "Google Security Research"
2019-03-01 "Google Chrome < M72 - Use-After-Free in RenderProcessHostImpl Binding for P2PSocketDispatcherHost" dos multiple "Google Security Research"
2019-03-01 "Google Chrome < M72 - RenderFrameHostImpl::CreateMediaStreamDispatcherHost Use-After-Free" dos multiple "Google Security Research"
2019-03-01 "Google Chrome < M72 - PaymentRequest Service Use-After-Free" dos multiple "Google Security Research"
2019-02-22 "WebKit JSC - reifyStaticProperty Needs to set the PropertyAttribute::CustomAccessor flag for CustomGetterSetter" dos multiple "Google Security Research"
2019-02-20 "MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates" dos linux "Google Security Research"
2019-02-20 "Android Kernel < 4.8 - ptrace seccomp Filter Bypass" dos android "Google Security Research"
2019-02-20 "FaceTime - Texture Processing Memory Corruption" dos macos "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour" dos java "Google Security Research"
2019-02-15 "Linux - 'kvm_ioctl_create_device()' NULL Pointer Dereference" dos linux "Google Security Research"
2019-02-12 "Android - binder Use-After-Free of VMA via race Between reclaim and munmap" dos android "Google Security Research"
2019-02-12 "Android - binder Use-After-Free via fdget() Optimization" dos android "Google Security Research"
2019-02-06 "Skia - Incorrect Convexity Assumptions Leading to Buffer Overflows" dos multiple "Google Security Research"
2019-01-31 "macOS < 10.14.3 / iOS < 12.1.3 - Kernel Heap Overflow in PF_KEY due to Lack of Bounds Checking when Retrieving Statistics" dos multiple "Google Security Research"
2019-01-31 "macOS < 10.14.3 / iOS < 12.1.3 XNU - 'vm_map_copy' Optimization which Requires Atomicity isn't Atomic" dos multiple "Google Security Research"
2019-01-31 "macOS < 10.14.3 / iOS < 12.1.3 - Sandbox Escapes due to Type Confusions and Memory Safety Issues in iohideventsystem" dos multiple "Google Security Research"
2019-01-31 "macOS < 10.14.3 / iOS < 12.1.3 - Arbitrary mach Port Name Deallocation in XPC Services due to Invalid mach Message Parsing in _xpc_serializer_unpack" dos multiple "Google Security Research"
2019-01-31 "macOS XNU - Copy-on-Write Behaviour Bypass via Partial-Page Truncation of File" dos macos "Google Security Research"
2019-01-30 "iOS/macOS 10.13.6 - 'if_ports_used_update_wakeuuid()' 16-byte Uninitialized Kernel Stack Disclosure" dos multiple "Google Security Research"
2019-01-24 "Ghostscript 9.26 - Pseudo-Operator Remote Code Execution" remote linux "Google Security Research"
2019-01-25 "iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free" dos multiple "Google Security Research"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46410/?format=json')
For full documentation follow the link above

Ads

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash:

--- cut ---
  $ bin/java -cp . DisplaySfntFont test.ttf
  Iteration (0,0)
  Iteration (0,1)
  Iteration (0,2)
  Iteration (0,3)
  Iteration (0,4)
  #
  # A fatal error has been detected by the Java Runtime Environment:
  #
  #  SIGSEGV (0xb) at pc=0x00007fbaa11694c8, pid=19540, tid=0x00007fbac4f18700
  #
  # JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08)
  # Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops)
  # Problematic frame:
  # C  [libfontmanager.so+0x284c8]  OpenTypeLayoutEngine::adjustGlyphPositions(unsigned short const*, int, int, char, LEGlyphStorage&, LEErrorCode&)+0x268
  #
  # Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
  #
  # An error report file with more information is saved as:
  # jre/8u202/hs_err_pid19540.log
  #
  # If you would like to submit a bug report, please visit:
  #   http://bugreport.java.com/bugreport/crash.jsp
  # The crash happened outside the Java Virtual Machine in native code.
  # See problematic frame for where to report the bug.
  #
  Aborted
--- cut ---

Under gdb, we can find out that the OpenTypeLayoutEngine::adjustGlyphPositions function attempts to access an invalid memory region:

--- cut ---
  gdb-peda$ c
  Continuing.
  Iteration (0,0)
  Iteration (0,1)
  Iteration (0,2)
  Iteration (0,3)
  Iteration (0,4)

  Thread 2 "java" received signal SIGSEGV, Segmentation fault.
  [----------------------------------registers-----------------------------------]
  RAX: 0x7ffff0283cc0 --> 0x0
  [...]
  [-------------------------------------code-------------------------------------]
     0x7fffc41cb4bb <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+603>:  nop    DWORD PTR [rax+rax*1+0x0]
     0x7fffc41cb4c0 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+608>:  lea    rax,[rax+rax*4]
     0x7fffc41cb4c4 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+612>:  lea    rax,[rdx+rax*4]
  => 0x7fffc41cb4c8 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+616>:  addss  xmm0,DWORD PTR [rax]
     0x7fffc41cb4cc <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+620>:  addss  xmm1,DWORD PTR [rax+0x4]
     0x7fffc41cb4d1 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+625>:  movsxd rax,DWORD PTR [rax+0x10]
     0x7fffc41cb4d5 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+629>:  test   eax,eax
     0x7fffc41cb4d7 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+631>:
      jns    0x7fffc41cb4c0 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+608>
  [------------------------------------stack-------------------------------------]
  [...]
  [------------------------------------------------------------------------------]
  Legend: code, data, rodata, value
  Stopped reason: SIGSEGV
  0x00007fffc41cb4c8 in OpenTypeLayoutEngine::adjustGlyphPositions(unsigned short const*, int, int, char, LEGlyphStorage&, LEErrorCode&) ()
     from jre/8u202/lib/amd64/libfontmanager.so
--- cut ---

The crash reproduces on both Windows and Linux platforms. On Windows, the crash manifests in the following way:

--- cut ---
  (3798.db8): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  fontmanager!Java_sun_java2d_loops_DrawGlyphListLCD_DrawGlyphListLCD+0x13346:
  00007ffa`0c9eb046 8b448a10        mov     eax,dword ptr [rdx+rcx*4+10h] ds:00000000`69815274=????????
  0:004> ? rdx
  Evaluate expression: 1696397556 = 00000000`651cf8f4
  0:004> ? rcx
  Evaluate expression: 18421340 = 00000000`0119165c
  0:004> k
   # Child-SP          RetAddr           Call Site
  00 00000000`055ce250 00007ffa`0c9e3c3f fontmanager!Java_sun_java2d_loops_DrawGlyphListLCD_DrawGlyphListLCD+0x13346
  01 00000000`055ce3c0 00007ffa`0c9ef6fe fontmanager!Java_sun_java2d_loops_DrawGlyphListLCD_DrawGlyphListLCD+0xbf3f
  02 00000000`055ce420 00000000`056e8d27 fontmanager!Java_sun_font_SunLayoutEngine_nativeLayout+0x21e
  03 00000000`055ce750 00000000`055ce750 0x56e8d27
  04 00000000`055ce758 00000000`5cb9a4a8 0x55ce750
  05 00000000`055ce760 00000000`055ce7c0 0x5cb9a4a8
  06 00000000`055ce768 00000000`5cb3fd68 0x55ce7c0
  07 00000000`055ce770 00000000`055ce8e8 0x5cb3fd68
  08 00000000`055ce778 00000000`00000000 0x55ce8e8
--- cut ---

Attached with this report are three mutated testcases, and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46410.zip