Google discloses technical details of Windows CVE-2021-24093 RCE flaw

Pierluigi Paganini February 25, 2021

Google Project Zero team disclosed the details of a recently patched remote code execution vulnerability (CVE-2021-24093) in Windows Operating system.

White hat hacker at Google Project Zero disclosed the details of a recently patched Windows vulnerability, tracked as CVE-2021-24093, that can be exploited for remote code execution in the context of the DirectWrite client.

DirectWrite is a Windows API designed to provide supports measuring, drawing, and hit-testing of multi-format text.

The vulnerability was discovered by Dominik Röttsches of Google and Mateusz Jurczyk of Google Project Zero, the company reported the issue to Microsoft in November and disclosed this week the details of the issue.

The flaw was addressed with the release of February 2021 Patch Tuesday updates.

The issue affects the Windows graphics component in all operating systems and received a CVSS score of 8.8.

An attacker could exploit the flaw by tricking the victims into visiting a specially crafted site hosting a file set up to trigger the issue.

The CVE-2021-24093 vulnerability is a DirectWrite heap-based buffer overflow that resides in the processing of a specially crafted TrueType font.

“We have discovered a crash in the DWrite!fsg_ExecuteGlyph function when loading and rasterizing a malformed TrueType font with a corrupted “maxp” table. Specifically, it was triggered after changing the value of the maxPoints field from 168 to 0, and the maxCompositePoints value from 2352 to 3 in our test font. We believe that this causes an inadequately small buffer to be allocated from the heap.” reads the report published by Google.

The researchers also released a proof-of-concept (PoC) exploit (poc.ttf poc.html).

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-24093,)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment