New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2016
Cc:



Sign in to add a comment
link

Issue 825: Microsoft GDI+ rendering of uninitialized heap bytes as pixels when handling malformed RLE-compressed bitmaps

Reported by mjurczyk@google.com, May 17 2016 Project Member

Issue description

The GDI+ library can handle bitmaps originating from untrusted sources through a variety of attack vectors, like EMF files, which may embed bitmaps in records such as EMR_PLGBLT, EMR_BITBLT, EMR_STRETCHBLT, EMR_STRETCHDIBITS etc. The GDI+ implementation supports bitmaps compressed with the BI_RLE8 (8-bit Run-Length Encoding) compression algorithm, and performs the actual decompression in the gdiplus!DecodeCompressedRLEBitmap function.

The buffer allocated to store the decompressed pixels is not cleared during or directly after the HeapAlloc() call, which causes it contain heap metadata and leftover data of previous allocations. The RLE compression algorithm makes it possible to skip some (in an extreme case: all) bytes in the output buffer; this could be achieved by using escape codes such as "End of line", "End of bitmap" or "Delta". If we start the compressed stream with the "End of bitmap" marker, the entirety of the memory region will remain uninitialized, which will in turn lead to displaying junk bytes as pixels. In the context of GDI+ clients which make it possible to read the rendered pixels back and send them to an attacker or use as part of a larger exploit chain, the bug could result in disclosure of sensitive data or defeat of exploit mitigations such as ASLR.

A proof-of-concept poc.emf file is attached, which uses the EMR_PLGBLT record to embed a malformed bitmap. When loaded in a GDI+ client (e.g. Microsoft Office), it will clearly display contents of uninitialized heap memory. An example result of inserting it into a blank presentation in PowerPoint 2013 four times is illustrated in the attached screenshot.

The above analysis was performed using the gdiplus.dll file found in C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll on a fully patched Windows 7 64-bit operating system (md5sum c861ee277cd4e2d914740000161956ef).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
 
poc.emf
41.8 KB Download
screenshot.png
142 KB View Download

Comment 1 by mjurczyk@google.com, May 19 2016

Project Member
Labels: -Reported-2016-May-17 Reported-2016-May-19

Comment 2 by mjurczyk@google.com, Jul 26 2016

Project Member
Labels: MSRC-33521

Comment 3 by mjurczyk@google.com, Jul 26 2016

Project Member
Labels: -Restrict-View-Commit
Status: WontFix (was: New)
Microsoft has responded that the bug does not meet the bar for a security bulletin, but a fix will be evaluated for upcoming next-version releases. Derestricting.

Comment 4 by mjurczyk@google.com, Oct 12 2016

Project Member
Labels: Fixed-2016-Oct-11 Deadline-Exceeded CVE-2016-3262
Status: Fixed (was: WontFix)
We discovered that this bug was also remotely exploitable through Office Online. As a result, MSRC reconsidered their decision and fixed the issue in a security bulletin: https://technet.microsoft.com/library/security/MS16-120.

Sign in to add a comment