Google’s Project Zero has proved controversial on several occasions already, with the search giant publicly revealing details of software bugs when companies fail to fix them. Now the project has unearthed a bug in Windows, and as Microsoft failed to patch it within 90 days of being notified, details of the flaw have been made available for everyone to see — and exploit.
A problem with the Windows Graphics Component GDI library (gdi32.dll) means that a hacker could use EMF metafiles to access memory and wreak all sorts of havoc. While Microsoft has issued Security Bulletin MS16-074, Google’s Mateusz Jurczyk says it failed to properly address the problem — hence the public outing of the bug.
In a posting on the Project Zero board, Mateusz Jurczyk explains how the bug works. The post — entitled “Windows gdi32.dll heap-based out-of-bounds reads / memory disclosure in EMR_SETDIBITSTODEVICE and possibly other records” — says that Microsoft issued a patch that fixed a related issue, but not all of the memory access issues were addressed.
As part of MS16-074, some of the bugs were indeed fixed, such as the EMR_STRETCHBLT record, which the original proof-of-concept image relied on. However, we’ve discovered that not all of the DIB-related problems are gone. For instance, the implementation of EMR_SETDIBITSTODEVICE (residing in the MRSETDIBITSTODEVICE::bPlay function) still doesn’t enforce condition #3. As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker.
The proof-of-concept file attached here consists of a single EMR_SETDIBITSTODEVICE record (excluding the header/EOF records), which originally contained a 1×1 bitmap. The dimensions of the DIB were then manually altered to 16×16, without adding any more actual image data. As a consequence, the 16×16/24bpp bitmap is now described by just 4 bytes, which is good for only a single pixel. The remaining 255 pixels are drawn based on junk heap data, which may include sensitive information, such as private user data or information about the virtual address space. I have confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file.
As per the “rules” of Project Zero, Jurczyk informed Microsoft about the bug on 16 November, giving the Windows-maker 90 days to get things sorted before going public. With this month’s batch of security patches from Microsoft being delayed, the company missed the deadline, so the details of the bug are now available for everyone to see.
Image credit: Mmaxer / Shutterstock