CVE-2017-8683
medium
CVSS v3
5.5
CVSS v4 NEW
โ
VIR risk
6.5
Description
Windows graphics on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, allows an attacker to execute remote code by the way it handles embedded fonts, aka "Win32k Graphics Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-8682.
Predictions
Exploit likelihood
55%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Microsoft Windows Kernel - 'win32k.sys' '.TTF' Font Processing Out-of-Bounds Read with Malformed 'glyf' Table 'win32k!fsc_CalcGrayRow' (Denial of Service)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1274
We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff1effff, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 91a65a52, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
FAULTING_IP:
win32k!fsc_CalcGrayRow+87
91a65a52 660fbe4fff movsx cx,byte ptr [edi-1]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 91a65990 to 91a65a52
STACK_TEXT:
981a885c 91a65990 ff1f83f8 ff1f8140 ff1f83a8 win32k!fsc_CalcGrayRow+0x87
981a88a0 919e26ac 00000008 ff1f8010 fbb36e78 win32k!fsc_CalcGrayMap+0x105
981a88e8 91b69e1a ff1f8010 ff1f807c 00000005 win32k!fs_ContourScan+0x582
981a89f4 91b69ef2 00000000 00000005 981a8b08 win32k!lGGOBitmap+0x15f
981a8a1c 919dd4f0 fbb36e78 00000005 981a8b08 win32k!ttfdGlyphBitmap+0x60
981a8a40 919dd386 fc23ccf0 00000009 00000005 win32k!ttfdQueryFontData+0x115
981a8a90 919dc5b2 00000000 fc23ccf0 00000009 win32k!ttfdSemQueryFontData+0x45
981a8ad8 91b351b4 00000000 fc23ccf0 00000009 win32k!PDEVOBJ::QueryFontData+0x3e
981a8b90 91b2cd60 fc23ccf0 fc23ccf0 00000006 win32k!GreGetGlyphOutlineInternal+0x534
981a8c0c 8288587a 04010215 00000022 00000006 win32k!NtGdiGetGlyphOutline+0x95
981a8c0c 76f370b4 04010215 00000022 00000006 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0020f504 00000000 00000000 00000000 00000000 0x76f370b4
---
The above crash dump comes from an old version of Windows 7 32-bit, because symbols for win32k.sys on the latest build are currently unavailable on the Microsoft Symbol Server. Nevertheless, a crash summary from an up-to-date system is as follows:
--- cut ---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff1e3fff, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 91ce9382, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
FAULTING_IP:
win32k!EngDeleteClip+4883
91ce9382 660fbe4fff movsx cx,byte ptr [edi-1]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 91ce92c0 to 91ce9382
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
9aa98858 91ce92c0 ff1ee3f8 ff1ee140 ff1ee3a8 win32k!EngDeleteClip+0x4883
9aa9889c 91c64346 00000008 ff1ee010 fb9dce78 win32k!EngDeleteClip+0x47c1
9aa988e4 91dfa025 ff1ee010 ff1ee07c 00000005 win32k!XFORMOBJ_iGetXform+0x5864
9aa989f0 91dfa0fd 00000000 00000005 9aa98b04 win32k!XLATEOBJ_hGetColorTransform+0x40a1c
9aa98a18 91c5f086 fb9dce78 00000005 9aa98b04 win32k!XLATEOBJ_hGetColorTransform+0x40af4
9aa98a3c 91c5ef1c fc22ccf0 00000009 00000005 win32k!XFORMOBJ_iGetXform+0x5a4
9aa98a8c 91c5e138 00000000 fc22ccf0 00000009 win32k!XFORMOBJ_iGetXform+0x43a
9aa98ad4 91dc3424 00000000 fc22ccf0 00000009 win32k!EngCTGetGammaTable+0xc967
9aa98b90 91dbafcc fc22ccf0 fc22ccf0 00000006 win32k!XLATEOBJ_hGetColorTransform+0x9e1b
9aa98c0c 82888986 0c0104d1 00000022 00000006 win32k!XLATEOBJ_hGetColorTransform+0x19c3
9aa98c0c 77986c74 0c0104d1 00000022 00000006 nt!KiSystemServicePostCall
001cf4ac 00000000 00000000 00000000 00000000 0x77986c74
--- cut ---
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "glyf" table.
The issue reproduces on Windows 7 (other platforms untested). It is easiest to reproduce with Special Pools enabled for win32k.sys. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which calls the GetGlyphOutline() API with various parameters over all of the font's glyphs.
Attached is an archive with several proof-of-concept mutated TTF files.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42746.zipOS impact
Windows Affected 5 releases
| Version | Status | Fixed in |
|---|---|---|
| r2 | Affected | โ |
| 1703 | Affected | โ |
| 1607 | Affected | โ |
| 1511 | Affected | โ |
| - | Affected | โ |
References
- http://www.securityfocus.com/bid/100781
- http://www.securitytracker.com/id/1039338
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8683
- https://www.exploit-db.com/exploits/42746/
- http://www.securityfocus.com/bid/100781
- http://www.securitytracker.com/id/1039338
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8683
- https://www.exploit-db.com/exploits/42746/
CWEs
CWE-200
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.