cbcvebase.
CVE-2019-1117
published 2019-07-15

CVE-2019-1117: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This…

PriorityP266high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
23.67%
97.5th percentile
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_version_1709_for_32-bit_systems
msrcwindows_10_version_1709_for_arm64-based_systems
msrcwindows_10_version_1709_for_x64-based_systems
msrcwindows_10_version_1803_for_32-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47086.zip
processDWrite!t2Decode
command./tx -cff
  • Monitor for recursive calls to DWrite!t2Decode on the call stack, particularly deep recursion chains (10+ frames) originating from DWrite!t2cParse -> DWrite!readGlyph -> DWrite!cfrIterateGlyphs -> DWrite!AdobeCFF2Snapshot -> DWrite!FontInstancer::InstanceCffTable, triggered during font instancing of OpenType variable fonts.
  • The exploit is triggered via the Direct2D printing interface in Microsoft Edge: a user opening a specially crafted webpage with an embedded OpenType variable font and printing it (to PDF, XPS, or a printer) will trigger the vulnerable code path through d2d1!dxc::TextConvertor::InstanceFontResources -> DWrite!DWriteFontFace::CreateInstancedStream.
  • The PoC font triggers the bug on decoding the glyph instruction stream for letter 'A' by calling a global subroutine (index 0) that recursively invokes itself via the tx_compose operator, incrementing cubeStackDepth without bounds until stack corruption occurs. Look for OpenType/CFF fonts with deeply recursive subroutine calls using the tx_compose (opcode 2) operator.
  • Stack corruption manifests as an ACCESS_VIOLATION (code c0000005) within DWrite!t2Decode when cubeStackDepth exceeds CUBE_LE_STACKDEPTH (6), with cubeStackDepth values observed at 69+ in crash logs. This can be detected via crash telemetry or application verifier on dwrite.dll.
  • ·The vulnerability is only reachable via the font instancing code path (variable fonts). The CreateInstancedStream method is not a public COM interface; the known trigger is through the Direct2D printing interface (d2d1!dxc::TextConvertor::InstanceFontResources). Other trigger paths may exist but are unconfirmed.
  • ·Microsoft's advisory notes the exploit status as 'Publicly Disclosed: No; Exploited: No' with exploitation rated 'Less Likely' for both latest and older software releases at time of patch (July 2019).

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.