Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-15999 PoC — Google Chrome 缓冲区错误漏洞

Source
https://github.com/Marmeus/CVE-2020-15999
Associated Vulnerability
Title:Google Chrome 缓冲区错误漏洞 (CVE-2020-15999)
Description:Google Chrome是美国谷歌(Google)公司的一款Web浏览器。 Google Chrome 86.0.4240.111之前版本中的 FreeType 存在缓冲区错误漏洞,攻击者可利用该漏洞可以通过FreeType的字体文件触发内存破坏,以触发拒绝服务,并可能运行代码。
Description
Todos los materiales necesarios para la PoC en Chrome y ftview
Readme
# CVE-2020-15999

Here you will all the resources in order to execute the PoC for the CVE-2020-15999  in Google Chrome and Ftview (Ubuntu).

There are two folders in this repository, one for each program.

## Google Chrome
In order to reproduce the exploit you will have to install a Google Chrome version previous to the 86.0.4240.111 version. In my case I used the 85.0.4183.121 version that you can install with the following command. 

```
sudo dpkg -i google-chrome-stable_85.0.4183.121-1_amd64.deb
```

Finally, using the web browser, you need to access one of the files: `exploitFontArray.html` or `exploitFontFile.html`. Getting the following result.

**Note:** If you want to use the `exploitFontFile.html`, you will need to generate the `googleFont.ttf`.For doing so, you only have to execute the `array2file.py` file with python2. `python array2file.py`.

![](./Images/PoCGoogle.PNG)

## Ftview

Because in order to reproduce the PoC in [The FreeType Project Bug #59308](https://savannah.nongnu.org/bugs/index.php?59308) is too complicated, me and my partner [maarlo](https://github.com/maarlo/CVE-2020-15999) have developed a script, that you can find in the Ftview folder, so you can see how the vulnerability can be reproduced. 

Just run the script and you will see the following output.

```
=================================================================
==69917==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000029260 at pc 0x7fed4b05d86b bp 0x7ffd022395a0 sp 0x7ffd02239590
WRITE of size 4 at 0x61d000029260 thread T0
    #0 0x7fed4b05d86a in png_combine_row /home/user1/Documents/Master/DDS/Trabajo9/libpng-1.6.37/pngrutil.c:3580
    #1 0x7fed4b020639 in png_read_row /home/user1/Documents/Master/DDS/Trabajo9/libpng-1.6.37/pngread.c:599
    #2 0x7fed4b020c2a in png_read_image /home/user1/Documents/Master/DDS/Trabajo9/libpng-1.6.37/pngread.c:753
    #3 0x7fed4aeafc61 in Load_SBit_Png /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/sfnt/pngshim.c:439
    #4 0x7fed4aef5330 in tt_face_load_sbix_image /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/sfnt/ttsbit.c:1546
    #5 0x7fed4aef589b in tt_face_load_sbit_image /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/sfnt/ttsbit.c:1628
    #6 0x7fed4adda2d2 in load_sbit_image /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/truetype/ttgload.c:2429
    #7 0x7fed4addbc90 in TT_Load_Glyph /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/truetype/ttgload.c:2829
    #8 0x7fed4adcaa91 in tt_glyph_load /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/truetype/ttdriver.c:474
    #9 0x7fed4ad879dc in FT_Load_Glyph /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/base/ftobjs.c:948
    #10 0x55a7f5f860c8  (/usr/bin/ftview+0x60c8)
    #11 0x7fed4aa4a0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #12 0x55a7f5f87d1d  (/usr/bin/ftview+0x7d1d)

0x61d000029260 is located 60 bytes to the right of 1956-byte region [0x61d000028a80,0x61d000029224)
allocated by thread T0 here:
    #0 0x7fed4b1c5bc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x7fed4ad7b808 in ft_alloc builds/unix/ftsystem.c:102
    #2 0x7fed4adaa836 in ft_mem_qalloc /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/base/ftutil.c:75
    #3 0x7fed4adaa681 in ft_mem_alloc /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/base/ftutil.c:54
    #4 0x7fed4ad8589e in ft_glyphslot_alloc_bitmap /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/base/ftobjs.c:526
    #5 0x7fed4aeaf9bf in Load_SBit_Png /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/sfnt/pngshim.c:425
    #6 0x7fed4aef5330 in tt_face_load_sbix_image /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/sfnt/ttsbit.c:1546
    #7 0x7fed4aef589b in tt_face_load_sbit_image /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/sfnt/ttsbit.c:1628
    #8 0x7fed4adda2d2 in load_sbit_image /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/truetype/ttgload.c:2429
    #9 0x7fed4addbc90 in TT_Load_Glyph /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/truetype/ttgload.c:2829
    #10 0x7fed4adcaa91 in tt_glyph_load /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/truetype/ttdriver.c:474
    #11 0x7fed4ad879dc in FT_Load_Glyph /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/base/ftobjs.c:948
    #12 0x55a7f5f860c8  (/usr/bin/ftview+0x60c8)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user1/Documents/Master/DDS/Trabajo9/libpng-1.6.37/pngrutil.c:3580 in png_combine_row
Shadow bytes around the buggy address:
  0x0c3a7fffd1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffd200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffd210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffd220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffd230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffd240: 00 00 00 00 04 fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c3a7fffd250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffd260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffd270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffd280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffd290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==69917==ABORTING
```
File Snapshot

 [4.0K]  /data/pocs/7d8a1f20860633527efc8c8d8899529fc646ea64
├── [4.0K]  Ftview
│   └── [1.0K]  run.sh
├── [4.0K]  Google-Chrome
│   ├── [1.8K]  array2file.py
│   ├── [1.8K]  exploitFontArray.html
│   ├── [ 263]  exploitFontFile.html
│   ├── [ 67M]  google-chrome-stable_85.0.4183.121-1_amd64.deb
│   └── [513K]  googleFont.ttf
├── [4.0K]  Images
│   └── [150K]  PoCGoogle.PNG
└── [6.0K]  README.md

3 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.