Here you will all the resources in order to execute the PoC for the CVE-2020-15999 in Google Chrome and Ftview (Ubuntu).
There are two folders in this repository, one for each program.
In order to reproduce the exploit you will have to install a Google Chrome version previous to the 86.0.4240.111 version. In my case I used the 85.0.4183.121 version that you can install with the following command.
sudo dpkg -i google-chrome-stable_85.0.4183.121-1_amd64.deb
Finally, using the web browser, you need to access one of the files: exploitFontArray.html or exploitFontFile.html. Getting the following result.
Note: If you want to use the exploitFontFile.html, you will need to generate the googleFont.ttf.For doing so, you only have to execute the array2file.py file with python2. python array2file.py.
Because in order to reproduce the PoC in The FreeType Project Bug #59308 is too complicated, me and my partner maarlo have developed a script, that you can find in the Ftview folder, so you can see how the vulnerability can be reproduced.
Just run the script and you will see the following output.
=================================================================
==69917==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000029260 at pc 0x7fed4b05d86b bp 0x7ffd022395a0 sp 0x7ffd02239590
WRITE of size 4 at 0x61d000029260 thread T0
#0 0x7fed4b05d86a in png_combine_row /home/user1/Documents/Master/DDS/Trabajo9/libpng-1.6.37/pngrutil.c:3580
#1 0x7fed4b020639 in png_read_row /home/user1/Documents/Master/DDS/Trabajo9/libpng-1.6.37/pngread.c:599
#2 0x7fed4b020c2a in png_read_image /home/user1/Documents/Master/DDS/Trabajo9/libpng-1.6.37/pngread.c:753
#3 0x7fed4aeafc61 in Load_SBit_Png /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/sfnt/pngshim.c:439
#4 0x7fed4aef5330 in tt_face_load_sbix_image /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/sfnt/ttsbit.c:1546
#5 0x7fed4aef589b in tt_face_load_sbit_image /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/sfnt/ttsbit.c:1628
#6 0x7fed4adda2d2 in load_sbit_image /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/truetype/ttgload.c:2429
#7 0x7fed4addbc90 in TT_Load_Glyph /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/truetype/ttgload.c:2829
#8 0x7fed4adcaa91 in tt_glyph_load /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/truetype/ttdriver.c:474
#9 0x7fed4ad879dc in FT_Load_Glyph /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/base/ftobjs.c:948
#10 0x55a7f5f860c8 (/usr/bin/ftview+0x60c8)
#11 0x7fed4aa4a0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#12 0x55a7f5f87d1d (/usr/bin/ftview+0x7d1d)
0x61d000029260 is located 60 bytes to the right of 1956-byte region [0x61d000028a80,0x61d000029224)
allocated by thread T0 here:
#0 0x7fed4b1c5bc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x7fed4ad7b808 in ft_alloc builds/unix/ftsystem.c:102
#2 0x7fed4adaa836 in ft_mem_qalloc /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/base/ftutil.c:75
#3 0x7fed4adaa681 in ft_mem_alloc /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/base/ftutil.c:54
#4 0x7fed4ad8589e in ft_glyphslot_alloc_bitmap /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/base/ftobjs.c:526
#5 0x7fed4aeaf9bf in Load_SBit_Png /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/sfnt/pngshim.c:425
#6 0x7fed4aef5330 in tt_face_load_sbix_image /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/sfnt/ttsbit.c:1546
#7 0x7fed4aef589b in tt_face_load_sbit_image /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/sfnt/ttsbit.c:1628
#8 0x7fed4adda2d2 in load_sbit_image /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/truetype/ttgload.c:2429
#9 0x7fed4addbc90 in TT_Load_Glyph /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/truetype/ttgload.c:2829
#10 0x7fed4adcaa91 in tt_glyph_load /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/truetype/ttdriver.c:474
#11 0x7fed4ad879dc in FT_Load_Glyph /home/user1/Documents/Master/DDS/Trabajo9/freetype2-VER-2-10-3/src/base/ftobjs.c:948
#12 0x55a7f5f860c8 (/usr/bin/ftview+0x60c8)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user1/Documents/Master/DDS/Trabajo9/libpng-1.6.37/pngrutil.c:3580 in png_combine_row
Shadow bytes around the buggy address:
0x0c3a7fffd1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffd200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffd210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffd220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffd230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffd240: 00 00 00 00 04 fa fa fa fa fa fa fa[fa]fa fa fa
0x0c3a7fffd250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffd260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffd270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffd280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffd290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==69917==ABORTING