ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
43 lines
No EOL
2.6 KiB
Text
43 lines
No EOL
2.6 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1031
|
|
|
|
Through fuzzing, we have discovered a number of different crashes in the Windows Uniscribe user-mode library, while trying to display text using a corrupted font file or calling documented Uniscribe API functions against such malformed fonts. In this bug, we address a variety of crashes manifested through invalid memory READ accesses. Some of them occur at page boundaries, while other at seemingly valid yet non-mapped addresses. The sheer amount of the crashes makes it very difficult for us to assess the root cause, severity and impact of each of them within a reasonable time-frame. Consequently, we have only performed basic deduplication based on the top-level address of the faulting instruction, and are reporting all of such crashes in this single bug tracker entry.
|
|
|
|
A summary of the crash locations is as follows:
|
|
|
|
--------------------------------------------------------------
|
|
1 USP10!otlMultiSubstLookup::apply+0xa8
|
|
2 USP10!otlSingleSubstLookup::applyToSingleGlyph+0x98
|
|
3 USP10!otlSingleSubstLookup::apply+0xa9
|
|
4 USP10!otlMultiSubstLookup::getCoverageTable+0x2c
|
|
5 USP10!otlMark2Array::mark2Anchor+0x18
|
|
6 USP10!GetSubstGlyph+0x2e
|
|
7 USP10!BuildTableCache+0x1ca
|
|
8 USP10!otlMkMkPosLookup::apply+0x1b4
|
|
9 USP10!otlLookupTable::markFilteringSet+0x1a
|
|
10 USP10!otlSinglePosLookup::getCoverageTable+0x12
|
|
11 USP10!BuildTableCache+0x1e7
|
|
12 USP10!otlChainingLookup::getCoverageTable+0x15
|
|
13 USP10!otlReverseChainingLookup::getCoverageTable+0x15
|
|
14 USP10!otlLigCaretListTable::coverage+0x7
|
|
15 USP10!otlMultiSubstLookup::apply+0x99
|
|
16 USP10!otlTableCacheData::FindLookupList+0x9
|
|
17 USP10!ttoGetTableData+0x4b4
|
|
18 USP10!GetSubtableCoverage+0x1ab
|
|
19 USP10!otlChainingLookup::apply+0x2d
|
|
20 USP10!MergeLigRecords+0x132
|
|
21 USP10!otlLookupTable::subTable+0x23
|
|
22 USP10!GetMaxParameter+0x53
|
|
23 USP10!ApplyLookup+0xc3
|
|
24 USP10!ApplyLookupToSingleGlyph+0x6f
|
|
25 USP10!ttoGetTableData+0x19f6
|
|
26 USP10!otlExtensionLookup::extensionSubTable+0x1d
|
|
27 USP10!ttoGetTableData+0x1a77
|
|
--------------------------------------------------------------
|
|
|
|
All of the issues reproduce successfully on Windows 7. It is highly encouraged to enable PageHeap for the test program in order to get reliable repros. It is also necessary to use a custom program which displays all of the font's glyphs at various point sizes, and additionally calls some of the Uniscribe-specific API functions.
|
|
|
|
Attached is an archive with textual crash excerpts and up to 3 samples per each unique crash.
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41655.zip |