Menu

Search for hundreds of thousands of exploits

"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4"

Author

Exploit author

"Google Security Research"

Platform

Exploit platform

multiple

Release date

Exploit published date

2019-04-17

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
A heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType, implemented in a proprietary t2k library. It manifests itself in the form of the following (or similar) crash:

--- cut ---
  $ bin/java -cp . DisplaySfntFont test.ttf
  Iteration (0,0)
  *** Error in `bin/java': munmap_chunk(): invalid pointer: 0x00007f5cf82a6490 ***
  ======= Backtrace: =========
  /lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f5cfd492bcb]
  /lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f5cfd498f96]
  jre/8u202/lib/amd64/libt2k.so(+0x5443d)[0x7f5cd563343d]
  jre/8u202/lib/amd64/libt2k.so(+0x47b95)[0x7f5cd5626b95]
  jre/8u202/lib/amd64/libt2k.so(Java_sun_font_T2KFontScaler_getGlyphImageNative+0xe5)[0x7f5cd560fa25]
  [0x7f5ce83a06c7]
  ======= Memory map: ========
  00400000-00401000 r-xp 00000000 fe:01 20840680                           jre/8u202/bin/java
  00600000-00601000 r--p 00000000 fe:01 20840680                           jre/8u202/bin/java
  00601000-00602000 rw-p 00001000 fe:01 20840680                           jre/8u202/bin/java
  02573000-02594000 rw-p 00000000 00:00 0                                  [heap]
  3d1a00000-3fba00000 rw-p 00000000 00:00 0
  3fba00000-670900000 ---p 00000000 00:00 0
  670900000-685900000 rw-p 00000000 00:00 0
  685900000-7c0000000 ---p 00000000 00:00 0
  7c0000000-7c00c0000 rw-p 00000000 00:00 0
  7c00c0000-800000000 ---p 00000000 00:00 0
  [...]
  Aborted
--- cut ---

The crash reproduces on both Windows and Linux platforms. On Linux, it can be also triggered under Valgrind (many out-of-bounds reads and writes in sc_FindExtrema4 were ommitted in the log below):

--- cut ---
  $ valgrind bin/java -cp . DisplaySfntFont test.ttf
  [...]
  ==211051== Invalid write of size 8
  ==211051==    at 0x415B30EE: sc_FindExtrema4 (in jre/8u202/lib/amd64/libt2k.so)
  ==211051==    by 0x4159A402: fs_FindBitMapSize4 (in jre/8u202/lib/amd64/libt2k.so)
  ==211051==    by 0x415D3247: MakeBWBits (in jre/8u202/lib/amd64/libt2k.so)
  ==211051==    by 0x415CAE44: T2K_RenderGlyphInternal (in jre/8u202/lib/amd64/libt2k.so)
  ==211051==    by 0x415CB3CA: T2K_RenderGlyph (in jre/8u202/lib/amd64/libt2k.so)
  ==211051==    by 0x415B4A24: Java_sun_font_T2KFontScaler_getGlyphImageNative (in jre/8u202/lib/amd64/libt2k.so)
  ==211051==    by 0x7B8D6C6: ???
  ==211051==    by 0x7B7CDCF: ???
  ==211051==    by 0x7B7CDCF: ???
  ==211051==    by 0x7B7CDCF: ???
  ==211051==    by 0x7B7D2BC: ???
  ==211051==    by 0x7B7CA8F: ???
  ==211051==  Address 0x3f6f1d38 is 19,160 bytes inside a block of size 19,166 alloc'd
  ==211051==    at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
  ==211051==    by 0x415D84A4: tsi_AllocMem (in jre/8u202/lib/amd64/libt2k.so)
  ==211051==    by 0x415B2664: sc_FindExtrema4 (in jre/8u202/lib/amd64/libt2k.so)
  ==211051==    by 0x4159A402: fs_FindBitMapSize4 (in jre/8u202/lib/amd64/libt2k.so)
  ==211051==    by 0x415D3247: MakeBWBits (in jre/8u202/lib/amd64/libt2k.so)
  ==211051==    by 0x415CAE44: T2K_RenderGlyphInternal (in jre/8u202/lib/amd64/libt2k.so)
  ==211051==    by 0x415CB3CA: T2K_RenderGlyph (in jre/8u202/lib/amd64/libt2k.so)
  ==211051==    by 0x415B4A24: Java_sun_font_T2KFontScaler_getGlyphImageNative (in jre/8u202/lib/amd64/libt2k.so)
  ==211051==    by 0x7B8D6C6: ???
  ==211051==    by 0x7B7CDCF: ???
  ==211051==    by 0x7B7CDCF: ???
  ==211051==    by 0x7B7CDCF: ???
  [...]
--- cut ---

or with AFL's libdislocator under gdb:

--- cut ---
  Thread 2 "java" received signal SIGSEGV, Segmentation fault.
  [----------------------------------registers-----------------------------------]
  [...]
  R11: 0x7fffb5d89e82 --> 0x0
  [...]
  EFLAGS: 0x10293 (CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow)
  [-------------------------------------code-------------------------------------]
     0x7fffb63be972 <sc_FindExtrema4+914>:        lea    r11,[r12+r9*2]
     0x7fffb63be976 <sc_FindExtrema4+918>:        je     0x7fffb63bea30 <sc_FindExtrema4+1104>
     0x7fffb63be97c <sc_FindExtrema4+924>:        lea    r9d,[r8-0x1]
  => 0x7fffb63be980 <sc_FindExtrema4+928>:        add    WORD PTR [r11],0x1
     0x7fffb63be985 <sc_FindExtrema4+933>:        test   r9d,r9d
     0x7fffb63be988 <sc_FindExtrema4+936>:        je     0x7fffb63bea30 <sc_FindExtrema4+1104>
     0x7fffb63be98e <sc_FindExtrema4+942>:        add    WORD PTR [r11+0x2],0x1
     0x7fffb63be994 <sc_FindExtrema4+948>:        cmp    r8d,0x2
  [...]
--- cut ---

On Windows, the crash also reliably reproduces with PageHeap enabled for the java.exe process:

--- cut ---
  (244c.1660): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Java\jre1.8.0_202\bin\server\jvm.dll - 
  jvm+0x8598:
  00000000`61158598 c7040801000000  mov     dword ptr [rax+rcx],1 ds:00000000`05860280=00000001
--- cut ---

In total, we have encountered crashes in the t2k!sc_FindExtrema4 function in three different locations, in two cases while adding 1 to an invalid memory location, and in one case while adding 2 to an out-of-bounds address. Attached with this report are three mutated testcases (one for each crashing code location), and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46722.zip
Release DateTitleTypePlatformAuthor
2020-02-20"Core FTP Lite 1.3 - Denial of Service (PoC)"doswindows"berat isler"
2020-02-20"Easy2Pilot 7 - Cross-Site Request Forgery (Add User)"webappsphpindoushka
2020-02-19"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak"webappshardwarebyteGoblin
2020-02-19"Virtual Freer 1.58 - Remote Command Execution"webappsphpSajjadBnd
2020-02-19"DBPower C300 HD Camera - Remote Configuration Disclosure"webappshardware"Todor Donev"
2020-02-18"WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting"webappsphp"Ultra Security Team"
2020-02-17"SOPlanning 1.45 - 'by' SQL Injection"webappsphpJ3rryBl4nks
2020-02-17"Wordpress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-02-17"Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)"webappsphpJ3rryBl4nks
2020-02-17"SOPlanning 1.45 - 'users' SQL Injection"webappsphpJ3rryBl4nks
2020-02-17"Anviz CrossChex - Buffer Overflow (Metasploit)"remotewindowsMetasploit
2020-02-17"Avaya Aura Communication Manager 5.2 - Remote Code Execution"webappshardware"Sarang Tumne"
2020-02-17"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)"webappsphpJ3rryBl4nks
2020-02-17"WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting"webappsphp"Ashkan Moghaddas"
2020-02-17"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation"localwindowsnu11secur1ty
2020-02-17"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"LabVantage 8.3 - Information Disclosure"webappsjava"Joel Aviad Ossi"
2020-02-17"Cuckoo Clock v5.0 - Buffer Overflow"localwindowsboku
2020-02-17"HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-17"BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path"localwindowsboku
2020-02-14"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection"webappsphpJ3rryBl4nks
2020-02-14"SprintWork 2.3.1 - Local Privilege Escalation"localwindowsboku
2020-02-14"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"localwindowsboku
2020-02-14"EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-13"Wordpress Plugin tutor.1.5.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"PANDORAFMS 7.0 - Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-02-13"WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"OpenTFTP 1.66 - Local Privilege Escalation"localwindowsboku
2020-02-13"Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting"webappsphp"Mehran Feizi"
Release DateTitleTypePlatformAuthor
2020-02-10"iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()"dosmultiple"Google Security Research"
2020-02-10"Forcepoint WebSecurity 8.5 - Reflective Cross-Site Scripting"webappsmultiple"Prasenjit Kanti Paul"
2020-02-07"Google Invisible RECAPTCHA 3 - Spoof Bypass"webappsmultipleMatamorphosis
2020-01-28"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image"dosmultiple"Google Security Research"
2020-01-22"KeePass 2.44 - Denial of Service (PoC)"dosmultiple"Mustafa Emre Gül"
2020-01-16"Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal"webappsmultiple"Dhiraj Mishra"
2020-01-16"SunOS 5.10 Generic_147148-26 - Local Privilege Escalation"localmultiple"Marco Ivaldi"
2020-01-16"Tautulli 2.1.9 - Denial of Service ( Metasploit )"webappsmultiple"Ismail Tasdelen"
2020-01-13"Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)"webappsmultiplemekhalleh
2020-01-11"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)"webappsmultiple"Project Zero India"
2020-01-11"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution"webappsmultipleTrustedSec
2020-01-01"nostromo 1.9.6 - Remote Code Execution"remotemultipleKr0ff
2019-11-20"Pulse Secure VPN - Arbitrary Command Execution (Metasploit)"remotemultipleMetasploit
2019-11-20"FusionPBX - Operator Panel exec.php Command Execution (Metasploit)"remotemultipleMetasploit
2019-11-20"FreeSWITCH - Event Socket Command Execution (Metasploit)"remotemultipleMetasploit
2019-11-11"iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address"dosmultiple"Google Security Research"
2019-11-05"JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects"dosmultiple"Google Security Research"
2019-11-05"WebKit - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive"dosmultiple"Google Security Research"
2019-11-01"Nostromo - Directory Traversal Remote Command Execution (Metasploit)"remotemultipleMetasploit
2019-10-30"JavaScriptCore - GetterSetter Type Confusion During DFG Compilation"dosmultiple"Google Security Research"
2019-10-28"WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed"dosmultiple"Google Security Research"
2019-10-25"Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)"remotemultipleallyshka
2019-10-22"Total.js CMS 12 - Widget JavaScript Code Injection (Metasploit)"remotemultipleMetasploit
2019-10-14"Apache Httpd mod_proxy - Error Page Cross-Site Scripting"webappsmultiple"Sebastian Neef"
2019-10-14"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts"webappsmultiple"Sebastian Neef"
2019-10-14"Apache Httpd mod_rewrite - Open Redirects"webappsmultiple"Sebastian Neef"
2019-10-03"AnchorCMS < 0.12.3a - Information Disclosure"webappsmultiple"Tijme Gommers"
2019-10-01"WebKit - UXSS Using JavaScript: URI and Synchronous Page Loads"dosmultiple"Google Security Research"
2019-10-01"WebKit - Universal XSS in WebCore::command"dosmultiple"Google Security Research"
2019-10-01"DotNetNuke < 9.4.0 - Cross-Site Scripting"webappsmultipleMaYaSeVeN
Release DateTitleTypePlatformAuthor
2020-02-10"iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()"dosmultiple"Google Security Research"
2020-02-10"usersctp - Out-of-Bounds Reads in sctp_load_addresses_from_init"doslinux"Google Security Research"
2020-01-28"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image"dosmultiple"Google Security Research"
2020-01-14"WeChat - Memory Corruption in CAudioJBM::InputAudioFrameToJBM"dosandroid"Google Security Research"
2020-01-14"Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN"dosandroid"Google Security Research"
2019-12-18"macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()"dosmacos"Google Security Research"
2019-12-16"Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds"locallinux"Google Security Research"
2019-12-11"Adobe Acrobat Reader DC - Heap-Based Memory Corruption due to Malformed TTF Font"doswindows"Google Security Research"
2019-11-22"macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache"localmacos"Google Security Research"
2019-11-22"Internet Explorer - Use-After-Free in JScript Arguments During toJSON Callback"doswindows"Google Security Research"
2019-11-20"Ubuntu 19.10 - ubuntu-aufs-modified mmap_region() Breaks Refcounting in overlayfs/shiftfs Error Path"doslinux"Google Security Research"
2019-11-20"iOS 12.4 - Sandbox Escape due to Integer Overflow in mediaserverd"dosios"Google Security Research"
2019-11-20"Ubuntu 19.10 - Refcount Underflow and Type Confusion in shiftfs"doslinux"Google Security Research"
2019-11-11"iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address"dosmultiple"Google Security Research"
2019-11-11"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed JBIG2Globals Stream"doswindows"Google Security Research"
2019-11-11"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed OTF Font (CFF Table)"doswindows"Google Security Research"
2019-11-05"macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()"dosmacos"Google Security Research"
2019-11-05"WebKit - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive"dosmultiple"Google Security Research"
2019-11-05"JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects"dosmultiple"Google Security Research"
2019-10-30"JavaScriptCore - GetterSetter Type Confusion During DFG Compilation"dosmultiple"Google Security Research"
2019-10-28"WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed"dosmultiple"Google Security Research"
2019-10-21"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2)"doswindows"Google Security Research"
2019-10-10"Windows Kernel - NULL Pointer Dereference in nt!MiOffsetToProtos While Parsing Malformed PE File"doswindows"Google Security Research"
2019-10-10"Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File"doswindows"Google Security Research"
2019-10-10"Windows Kernel - win32k.sys TTF Font Processing Pool Corruption in win32k!ulClearTypeFilter"doswindows"Google Security Research"
2019-10-10"Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File"doswindows"Google Security Research"
2019-10-10"Windows Kernel - Out-of-Bounds Read in CI!CipFixImageType While Parsing Malformed PE File"doswindows"Google Security Research"
2019-10-10"Windows Kernel - Out-of-Bounds Read in CI!HashKComputeFirstPageHash While Parsing Malformed PE File"doswindows"Google Security Research"
2019-10-09"XNU - Remote Double-Free via Data Race in IPComp Input Path"dosmacos"Google Security Research"
2019-10-04"Android - Binder Driver Use-After-Free"localandroid"Google Security Research"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46722/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse