cbcvebase.
CVE-2019-1128
published 2019-07-15

CVE-2019-1128: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This…

PriorityP265high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
16.94%
96.7th percentile
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_version_1709_for_32-bit_systems
msrcwindows_10_version_1709_for_arm64-based_systems
msrcwindows_10_version_1709_for_x64-based_systems
msrcwindows_10_version_1803_for_32-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger path: a specially crafted OpenType variable font with both 'CFF ' and 'CFF2' tables embedded can reach the vulnerable AFDKO readCharset() code via dwrite!AdobeCFF2Snapshot → FontInstancer → dwrite!DWriteFontFace::CreateInstancedStream / dwrite!DWriteFactory::CreateInstancedStream
  • The attack can be triggered via the Direct2D printing interface in Microsoft Edge: a user visiting a page with an embedded malicious OpenType variable font and printing it (to PDF, XPS, or a printer) will execute the vulnerable code path via d2d1!dxc::TextConvertor::InstanceFontResources
  • The PoC font uses a crafted charset descriptor with specific field values to trigger the heap buffer overflow: width=0x02, id=0x4141, nLeft=0xffff. Monitor for OpenType fonts with CFF charset descriptors containing anomalously large nLeft values (e.g. 0xffff / 65535).
  • The exploit technique involves appending a legacy 'CFF ' table to a variable font that already contains a 'CFF2' table. Detection opportunity: scan font files for the simultaneous presence of both 'CFF ' and 'CFF2' tables, which is abnormal and is the prerequisite for reaching the vulnerable code in DirectWrite.
  • Crash/exploitation signature: heap-buffer-overflow write in addID() at cffread.c:1843, called from readCharset() at cffread.c:2187, called from cfrBegFont() at cffread.c:2789. Stack trace pattern can be used for crash triage or sandbox detonation matching.
  • ·The CreateInstancedStream method used to reach the vulnerable code is not a member of a public COM interface; the known reachable attack surface is via the Direct2D printing interface (e.g. Edge print-to-PDF/XPS). Other trigger paths may exist but were not confirmed.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.