Windows DWrite 组件 RCE 漏洞 (CVE-2021-24093) 分析
Windows图形组件DWrite库存在数组越界写漏洞 (CVE-2021-24093),可导致远程代码执行。
当DWrite库解析恶意构造的字体文件时,计算内存分配长度时出现错误,触发越界写,而且字体文件中的数据能够越界写入到任意位置,使攻击者可以做到RCE。
TrueType (Free Library)字体通常包含在单个TrueType字体文件中,其文件后缀为.TTF。文件开头是 TableDirectory 结构,TTableDirectory 结构的最后一个字段是可变长度的 TableEntry 结构的数组。TrueType 字体中的所有数据都使用 big-endian 编码。
TrueType字体目录的c语言定义:
typedef sturct{ char tag[4]; ULONG checkSum; ULONG offset; ULONG length;}TableEntry;
typedef struct{ Fixed sfntversion; //0x10000 for version 1.0 USHORT numTables; USHORT searchRange; USHORT entrySelector; USHORT rangeShift; TableEntry entries[1];//variable number of TableEntry}TableDirectory;
通过 010 Editor 编辑器打开poc.ttf文件,可以清楚的看到 ttf 文件的结构。
重点关注 maxp 表中的 maxPoints 字段和 maxCompositePoints,可以看到它们的值分别为0和3,它们相对于maxp表起始地址的偏移值分别为6和10。
获取 PoC 后,将 poc.html 和 poc.ttf 放到同一目录,双击打开 poc.html 文件。
PoC 地址:
https://packetstormsecurity.com/files/161582/Microsoft-DirectWrite-fsg_ExecuteGlyph-Buffer-Overflow.html点击OK,加载 poc.ttf 字体文件。浏览器渲染进程崩溃。
用 windbg 定位崩溃点。在第2步点击OK之前,将windbg工具attach到6768进程上。
如何确定进程6768是chrome当前渲染进程呢?可以借助procexp64.exe工具。
继续执行,在DWrite!fsg_ExecuteGlyph+0x72c位置触发内存访问违例,代码 “add word ptr [r8+56h],ax” 引用了一个非法地址。
此时的调用栈为:
# Child-SP RetAddr Call Site00 00000095`37bfa1c0 00007ffd`4c107e92 DWrite!fsg_ExecuteGlyph+0x72c01 00000095`37bfa2f0 00007ffd`4c107ac3 DWrite!fsg_CreateGlyphData+0x12e02 00000095`37bfa3b0 00007ffd`4c1072d9 DWrite!fsg_GridFit+0xbb03 00000095`37bfa440 00007ffd`4c105d72 DWrite!fs__Contour+0x1c104 00000095`37bfa530 00007ffd`4c105b57 DWrite!TrueTypeRasterizer::Implementation::RasterizeInternal+0xfa05 00000095`37bfa570 00007ffd`4c105aa4 DWrite!TrueTypeRasterizer::Implementation::GetBitmapInternal+0x2f06 00000095`37bfa5d0 00007ffd`4c1f0f2e DWrite!TrueTypeRasterizer::Implementation::GetBitmap+0x3007 00000095`37bfa640 00007ffd`4c198122 DWrite!TrueTypeRasterizer::Implementation::GetMetrics+0x7a08 00000095`37bfa740 00007ffd`4c119e35 DWrite!TrueTypeFontMetricsBuilder::GetGlyphMetrics+0x6872209 00000095`37bfa820 00007ffd`4c1199a8 DWrite!DesignGlyphMetricsRasterizationState::RasterizeGlyph+0x450a 00000095`37bfa890 00007ffd`4c12f614 DWrite!GlyphDataElement<DesignGlyphMetricsLayout,DesignGlyphMetricsRasterizationParameters,DesignGlyphMetricsRasterizationState>::AddGlyphs+0x1480b 00000095`37bfaa70 00007ffd`4c12f1ff DWrite!GlyphDataElement<DesignGlyphMetricsLayout,DesignGlyphMetricsRasterizationParameters,DesignGlyphMetricsRasterizationState>::GetGlyphData+0x2740c 00000095`37bfaba0 00007ffd`4c12dd20 DWrite!FontFace::GetDesignGlyphMetrics+0xaf0d 00000095`37bfac90 00007ffd`28bea88a DWrite!DWriteFontFace::GetDesignGlyphMetrics+0xc00e 00000095`37bfad10 00007ffd`28bea4e6 chrome!ChromeMain+0x2f59ea0f 00000095`37bfadd0 00007ffd`28bea15f chrome!ChromeMain+0x2f564610 00000095`37bfaea0 00007ffd`292f746e chrome!ChromeMain+0x2f52bf11 00000095`37bfafc0 00007ffd`292f7975 chrome!ovly_debug_event+0x2cca5e12 00000095`37bfb030 00007ffd`28be9fdd chrome!ovly_debug_event+0x2ccf6513 00000095`37bfb0c0 00007ffd`28be9bf8 chrome!ChromeMain+0x2f513d14 00000095`37bfb140 00007ffd`2e4b9f11 chrome!ChromeMain+0x2f4d5815 00000095`37bfb380 00007ffd`2d52b28c chrome!VR_GetStringForHmdError+0x1c0bce116 00000095`37bfba60 00007ffd`2947abb9 chrome!VR_GetStringForHmdError+0xc7d05c17 00000095`37bfbaa0 00007ffd`28c34741 chrome!ovly_debug_event+0x4501a918 00000095`37bfbba0 00007ffd`28c27cbb chrome!ChromeMain+0x33f8a119 00000095`37bfbc00 00007ffd`2e6d73b5 chrome!ChromeMain+0x332e1b1a 00000095`37bfbc70 00007ffd`2e6d89cd chrome!VR_GetStringForHmdError+0x1e291851b 00000095`37bfbeb0 00007ffd`2d70ae8b chrome!VR_GetStringForHmdError+0x1e2a79d1c 00000095`37bfbfd0 00007ffd`2d70a96f chrome!VR_GetStringForHmdError+0xe5cc5b1d 00000095`37bfc3b0 00007ffd`2d70dad0 chrome!VR_GetStringForHmdError+0xe5c73f1e 00000095`37bfc420 00007ffd`2e521ab3 chrome!VR_GetStringForHmdError+0xe5f8a01f 00000095`37bfc480 00007ffd`2e522318 chrome!VR_GetStringForHmdError+0x1c7388320 00000095`37bfc4e0 00007ffd`2eef5404 chrome!VR_GetStringForHmdError+0x1c740e821 00000095`37bfc550 00007ffd`2e52380f chrome!VR_GetStringForHmdError+0x26471d422 00000095`37bfc5e0 00007ffd`2e51dc86 chrome!VR_GetStringForHmdError+0x1c755df23 00000095`37bfc8e0 00007ffd`2eefb204 chrome!VR_GetStringForHmdError+0x1c6fa5624 00000095`37bfca90 00007ffd`2eef59e6 chrome!VR_GetStringForHmdError+0x264cfd425 00000095`37bfcbf0 00007ffd`2eef541b chrome!VR_GetStringForHmdError+0x26477b626 00000095`37bfcdf0 00007ffd`2e52380f chrome!VR_GetStringForHmdError+0x26471eb27 00000095`37bfce80 00007ffd`2e51dc86 chrome!VR_GetStringForHmdError+0x1c755df28 00000095`37bfd180 00007ffd`2eede763 chrome!VR_GetStringForHmdError+0x1c6fa5629 00000095`37bfd330 00007ffd`2eed8540 chrome!VR_GetStringForHmdError+0x26305332a 00000095`37bfd3c0 00007ffd`2d93e4e0 chrome!VR_GetStringForHmdError+0x262a3102b 00000095`37bfd420 00007ffd`2d95f7dd chrome!VR_GetStringForHmdError+0x10902b02c 00000095`37bfd470 00007ffd`2d95ffa7 chrome!VR_GetStringForHmdError+0x10b15ad2d 00000095`37bfd4e0 00007ffd`2d95eb62 chrome!VR_GetStringForHmdError+0x10b1d772e 00000095`37bfd5e0 00007ffd`2d95d3f4 chrome!VR_GetStringForHmdError+0x10b09322f 00000095`37bfd6a0 00007ffd`2d95cbc1 chrome!VR_GetStringForHmdError+0x10af1c430 00000095`37bfd770 00007ffd`2cac07b4 chrome!VR_GetStringForHmdError+0x10ae99131 00000095`37bfd850 00007ffd`2d93e4e0 chrome!VR_GetStringForHmdError+0x21258432 00000095`37bfd8b0 00007ffd`2cac0bdd chrome!VR_GetStringForHmdError+0x10902b033 00000095`37bfd900 00007ffd`2ca9b81c chrome!VR_GetStringForHmdError+0x2129ad34 00000095`37bfd980 00007ffd`2ca9a106 chrome!VR_GetStringForHmdError+0x1ed5ec35 00000095`37bfda70 00007ffd`2c986353 chrome!VR_GetStringForHmdError+0x1ebed636 00000095`37bfdc30 00007ffd`2c986992 chrome!VR_GetStringForHmdError+0xd812337 00000095`37bfdc80 00007ffd`2c97824d chrome!VR_GetStringForHmdError+0xd876238 00000095`37bfdd50 00007ffd`2e5830de chrome!VR_GetStringForHmdError+0xca01d39 00000095`37bfdd80 00007ffd`2b197199 chrome!VR_GetStringForHmdError+0x1cd4eae3a 00000095`37bfde10 00007ffd`2b1a5fe8 chrome!CrashForExceptionInNonABICompliantCodeRange+0x58ad593b 00000095`37bfded0 00007ffd`2b1a5e4f chrome!CrashForExceptionInNonABICompliantCodeRange+0x599ba83c 00000095`37bfdfb0 00007ffd`2b1b4c7d chrome!CrashForExceptionInNonABICompliantCodeRange+0x599a0f3d 00000095`37bfdff0 00007ffd`2cc5eefc chrome!CrashForExceptionInNonABICompliantCodeRange+0x5a883d3e 00000095`37bfe120 00007ffd`2cc564d2 chrome!VR_GetStringForHmdError+0x3b0ccc3f 00000095`37bfe300 00007ffd`2989b907 chrome!VR_GetStringForHmdError+0x3a82a240 00000095`37bfe4f0 00007ffd`28dad68a chrome!ovly_debug_event+0x870ef741 00000095`37bfe5c0 00007ffd`2898d172 chrome!ChromeMain+0x4b87ea42 00000095`37bfe820 00007ffd`2898c651 chrome!ChromeMain+0x982d243 00000095`37bfe8d0 00007ffd`2898bed2 chrome!ChromeMain+0x977b144 00000095`37bfe9c0 00007ffd`2898b64f chrome!ChromeMain+0x9703245 00000095`37bfebb0 00007ffd`28989b26 chrome!ChromeMain+0x967af46 00000095`37bfecb0 00007ffd`289897d1 chrome!ChromeMain+0x94c8647 00000095`37bfee30 00007ffd`289079fe chrome!ChromeMain+0x9493148 00000095`37bfef10 00007ffd`2c0ca79d chrome!ChromeMain+0x12b5e49 00000095`37bff020 00007ffd`2c0ca4cf chrome!RelaunchChromeBrowserWithNewCommandLineIfNeeded+0xc72cd4a 00000095`37bff160 00007ffd`2890561b chrome!RelaunchChromeBrowserWithNewCommandLineIfNeeded+0xc6fff4b 00000095`37bff1f0 00007ffd`289054ce chrome!ChromeMain+0x1077b4c 00000095`37bff270 00007ffd`28904e1c chrome!ChromeMain+0x1062e4d 00000095`37bff2d0 00007ffd`2bf8f794 chrome!ChromeMain+0xff7c4e 00000095`37bff3a0 00007ffd`28919241 chrome!IsSandboxedProcess+0x41e6f44f 00000095`37bff540 00007ffd`28900ddc chrome!ChromeMain+0x243a150 00000095`37bff5e0 00007ffd`289007fe chrome!ChromeMain+0xbf3c51 00000095`37bff8b0 00007ffd`288f4fb3 chrome!ChromeMain+0xb95e52 00000095`37bff940 00007ff6`da83259a chrome!ChromeMain+0x11353 00000095`37bffa30 00007ff6`da831afd chrome_exe!Ordinal0+0x259a54 00000095`37bffaf0 00007ff6`da96fdc2 chrome_exe!Ordinal0+0x1afd55 00000095`37bffef0 00007ffd`63627034 chrome_exe!GetHandleVerifier+0xe517256 00000095`37bfff30 00007ffd`655fd0d1 KERNEL32!BaseThreadInitThunk+0x1457 00000095`37bfff60 00000000`00000000 ntdll!RtlUserThreadStart+0x21
同时可以使用BrokenType/ttf-otf-dwrite-loader直接加载poc.ttf复现漏洞,崩溃地址不变,调用栈为:
# Child-SP RetAddr Call Site00 00000054`8d70e960 00007ffd`4c107e92 DWrite!fsg_ExecuteGlyph+0x72c01 00000054`8d70ea90 00007ffd`4c107ac3 DWrite!fsg_CreateGlyphData+0x12e02 00000054`8d70eb50 00007ffd`4c1072d9 DWrite!fsg_GridFit+0xbb03 00000054`8d70ebe0 00007ffd`4c105d72 DWrite!fs__Contour+0x1c104 00000054`8d70ecd0 00007ffd`4c105b57 DWrite!TrueTypeRasterizer::Implementation::RasterizeInternal+0xfa05 00000054`8d70ed10 00007ffd`4c105aa4 DWrite!TrueTypeRasterizer::Implementation::GetBitmapInternal+0x2f06 00000054`8d70ed70 00007ffd`4c1f0f2e DWrite!TrueTypeRasterizer::Implementation::GetBitmap+0x3007 00000054`8d70ede0 00007ffd`4c198122 DWrite!TrueTypeRasterizer::Implementation::GetMetrics+0x7a08 00000054`8d70eee0 00007ffd`4c119e35 DWrite!TrueTypeFontMetricsBuilder::GetGlyphMetrics+0x6872209 00000054`8d70efc0 00007ffd`4c1199a8 DWrite!DesignGlyphMetricsRasterizationState::RasterizeGlyph+0x450a 00000054`8d70f030 00007ffd`4c12f614 DWrite!GlyphDataElement<DesignGlyphMetricsLayout,DesignGlyphMetricsRasterizationParameters,DesignGlyphMetricsRasterizationState>::AddGlyphs+0x1480b 00000054`8d70f210 00007ffd`4c12f1ff DWrite!GlyphDataElement<DesignGlyphMetricsLayout,DesignGlyphMetricsRasterizationParameters,DesignGlyphMetricsRasterizationState>::GetGlyphData+0x2740c 00000054`8d70f340 00007ffd`4c12dd20 DWrite!FontFace::GetDesignGlyphMetrics+0xaf0d 00000054`8d70f430 00007ff7`9d301460 DWrite!DWriteFontFace::GetDesignGlyphMetrics+0xc00e 00000054`8d70f4b0 00007ff7`9d3018e4 ttf_otf_dwrite_loader+0x14600f 00000054`8d70f7a0 00007ffd`63627034 ttf_otf_dwrite_loader+0x18e410 00000054`8d70f7e0 00007ffd`655fd0d1 KERNEL32!BaseThreadInitThunk+0x1411 00000054`8d70f810 00000000`00000000 ntdll!RtlUserThreadStart+0x21BrokenType/ttf-otf-dwrite-loader的下载地址为:
https://github.com/googleprojectzero/BrokenType/tree/master/ttf-otf-dwrite-loader字体加载后会调用 TrueTypeRasterizer::Implementation::Initialize 初始化函数,在 Initialize 内部调用 fs_NewSfnt 函数,fs_NewSfnt 又会调用fsg_WorkSpaceSetOffsets 函数,fsg_WorkSpaceSetOffsets 的作用是计算内存分配长度。查看 fsg_WorkSpaceSetOffsets函数的伪代码如下:
a1是指向maxp表的指针,v10 = *((WORD *)a1 + 5)取字段maxCompositePoints 的值,*((WORD *)a1 + 3取字段maxPoints,因为maxCompositePoints和maxPoints的偏移分别是10和6,同时a1被强制转化为(_WORD *) 类型,所以伪代码中偏移5和3就对应10和6。
这段代码逻辑是,比较maxPoints和maxCompositePoints的大小,取大值再与数值1比较大小,最后加上数值8后作为第一个参数传入fsg_GetOutlineSizeAndOffsets函数,最后返回一个计算好的数值。
内存分配操作在Initialize函数调用fs_NewSfnt之后不远处,可以看到fsg_WorkSpaceSetOffsets函数返回的数值最终影响内存分配的长度。
poc.ttf中,maxPoints和maxCompositePoints的值分别是0和3,是畸形数据。
由于fsg_WorkSpaceSetOffsets函数中没有恰当处理,会导致Initialize函数内存分配不足。
当字体渲染时,由于内存分配不足,数据结构fsg_WorkSpaceAddr的内容会覆盖结构体GlyphData。
typedef struct fsg_WorkSpaceAddr{ F26Dot6 * pStack; /* Address of stack */ void * pGlyphOutlineBase; /* Address of Glyph Outline Base */ fnt_ElementType * pGlyphElement; /* Address of Glyph Element array */ boolean * pGlyphDataByteSet; /* Address of ByteSet array */ void * pvGlyphData; /* Address of GlyphData array */ void * pReusableMemoryMarker; /* Address of reusable memory */ } fsg_WorkSpaceAddr; struct GlyphData{ char acIdent[2]; /* Identifier for GlyphData */ GlyphData * pSibling; /* Pointer to siblings */ GlyphData * pChild; /* Pointer to children */ GlyphData * pParent; /* Pointer to parent */ sfac_GHandle hGlyph; /* Handle for font access */ GlyphTypes GlyphType; /* Type of glyph */ uint16 usGlyphIndex; /* Glyph Index */ BBOX bbox; /* Bounding box for glyph */ uint16 usNonScaledAW; /* Nonscaled Advance Width */ int16 sNonScaledLSB; /* Nonscaled Left Side Bearing */ uint16 usDepth; /* Depth of Glyph in composite tree */ sfac_ComponentTypes MultiplexingIndicator;/* Flag for arguments of composites */ boolean bRoundXYToGrid; /* Round composite offsets to grid */ int16 sXOffset; /* X offset for composite (if supplied) */ int16 sYOffset; /* Y offset for composite (if supplied) */ uint16 usAnchorPoint1; /* Anchor Point 1 for composites (if not offsets) */ uint16 usAnchorPoint2; /* Anchor Point 2 for composites (if not offsets) */ transMatrix mulT; /* Transformation matrix for composite */ boolean bUseChildMetrics; /* Should use child metrics? */ boolean bUseMyMetrics; /* Is glyph USE_MY_METRICS? */ point ptDevLSB; /* Left Side Bearing Point */ point ptDevRSB; /* Right Side Bearing Point */ uint16 usScanType; /* ScanType value for this glyph */ uint16 usSizeOfInstructions; /* Size (in bytes) of glyph instructions */ uint8 * pbyInstructions; /* Pointer to glyph instructions */ fnt_ElementType * pGlyphElement; /* Current glyph element pointer */ };
在fsg_CreateGlyphData中,fsg_AllocateGlyphDataMemory负责计算GlyphData的起始地址,fsg_InitializeGlyphData函数将fsg_WorkSpaceAddr成员pGlyphElement的地址赋给了GlyphData的pGlyphElement。由于结构体fsg_WorkSpaceAddr的内容会覆盖到GlyphData,所以在后续函数fsg_ExecuteGlyph中GlyphData.pGlyphElement上的写入操作就会破坏GlyphData。
事实也是如此,当运行到函数fsg_ExecuteGlyph时,rsi+8(GlyphData+8)落在了memset_0准备设置的内存区间(pGlyphElement数组)内,从而触发越界写。
memset_0调用之后,rsi+8地址处的内容会被清零。
接着是__guard_dispatch_icall_fptr函数的调用,这是微软控制流保护机制,实际调用TrueTypeRasterizer::Implementation::ApplyOutlineVariation函数。ApplyOutlineVariation 会调用GlyphOutlineVariationInterpolator::ApplyVariation,作用是读取ttf文件中的数据,赋值给被memset_0清零的内存区间,rsi+8因为处在区间内,所以值会被改为ttf文件中的内容。
rsi+8被控制后,可以达到任意位置写,而被写入的内容同样来自于ttf文件,同样可以被控制。这样,就得到了一个任意地址任意写原语。
通过windbg动态调试发现(在调用memset_0前打断点),地址rsi+8处的值在调用memset_0后被清零。
查看传递给 memset_0 的参数值:
计算得出,memset_0准备设置的内存区间为[0x000001f5cdb98bec,0x000001f5cdb98d34],而rsi+8的值为0x000001f5cdb98d18正好落在了上述区间。所以memset_0执行过后,rsi+8地址处的值被置为0。
继续执行,地址rsi+8处的值在调用DWrite!_guard_dispatch_icall_fptr函数前后也发生了变化,并且被修改为poc中的值。
自此,"add [r8+56h], ax"操作中,r8与ax的值均来自于poc.ttf文件,可以被完全控制,攻击者就可以做到任意地址任意写。
查看补丁文件,发现fsg_WorkSpaceSetOffsets函数作了修改,查阅fsg_WorkSpaceSetOffsets补丁后的伪代码:
在原来的逻辑上,又取出了字段maxComponentElements的值(v12 = *((_WORD *)a1 + 14);),并与之比较大小,将数值大者传入函数fsg_GetOutlineSizeAndOffsets。伪代码稍微有点问题,经过汇编代码比较后,v17其实应该是v33。
调试补丁,memset_0准备设置的内存区间为[0x0000017ce0730f64,0x0000017ce07310ac],区间长度仍然为0x148,而rsi+8的值为0x0000017ce0731698落在了区间之外,不再触发数组越界写漏洞。
DWrite 库文件由于对畸形 ttf 文件的处理不当,导致数组越界写漏洞。攻击者精心构造 ttf 文件后,达到了任意地址任意写,从而能够进一步完成远程代码执行的攻击效果。补丁文件更正了对畸形文件数据的处理逻辑, 使得分配的内存长度更大,避免了越界写的出现。
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24093
https://bugs.chromium.org/p/project-zero/issues/detail?id=2123
http://blog.topsec.com.cn/cve-2021-24093-windows图形组件远程执行代码漏洞分析/
https://packetstormsecurity.com/files/161582/Microsoft-DirectWrite-fsg_ExecuteGlyph-Buffer-Overflow.html
开源OS FreeBSD 中 ftpd chroot 本地提权漏洞 (CVE-2020-7468) 的技术分析
详细分析开源软件 ExifTool 的任意代码执行漏洞 (CVE-2021-22204)
详细分析 Sonlogger 任意文件上传漏洞 (CVE-2021-27964)
手把手教你详细分析 Chrome 1day 漏洞 (CVE-2021-21224)
Codecov后门事件验证分析
题图:Pixabay License
转载请注明“转自奇安信代码卫士 https://codesafe.qianxin.com”。
奇安信代码卫士 (codesafe)
国内首个专注于软件开发安全的
产品线。