825 - Microsoft GDI+ rendering of uninitialized heap bytes as pixels when handling malformed RLE-compressed bitmaps - project-zero

Starred by 1 user

Status:	Fixed
Owner:	mjurczyk@google.com
Closed:	Jul 2016
Cc:	project-...@google.com
Severity-Medium Deadline-90 Deadline-Exceeded CCProjectZeroMembers Finder-mjurczyk Vendor-Microsoft Product-gdiplus Reported-2016-May-19 MSRC-33521 Fixed-2016-Oct-11 CVE-2016-3262

Microsoft GDI+ rendering of uninitialized heap bytes as pixels when handling malformed RLE-compressed bitmaps

Project Member Reported by mjurczyk@google.com, May 17 2016

Back to list

The GDI+ library can handle bitmaps originating from untrusted sources through a variety of attack vectors, like EMF files, which may embed bitmaps in records such as EMR_PLGBLT, EMR_BITBLT, EMR_STRETCHBLT, EMR_STRETCHDIBITS etc. The GDI+ implementation supports bitmaps compressed with the BI_RLE8 (8-bit Run-Length Encoding) compression algorithm, and performs the actual decompression in the gdiplus!DecodeCompressedRLEBitmap function.

The buffer allocated to store the decompressed pixels is not cleared during or directly after the HeapAlloc() call, which causes it contain heap metadata and leftover data of previous allocations. The RLE compression algorithm makes it possible to skip some (in an extreme case: all) bytes in the output buffer; this could be achieved by using escape codes such as "End of line", "End of bitmap" or "Delta". If we start the compressed stream with the "End of bitmap" marker, the entirety of the memory region will remain uninitialized, which will in turn lead to displaying junk bytes as pixels. In the context of GDI+ clients which make it possible to read the rendered pixels back and send them to an attacker or use as part of a larger exploit chain, the bug could result in disclosure of sensitive data or defeat of exploit mitigations such as ASLR.

A proof-of-concept poc.emf file is attached, which uses the EMR_PLGBLT record to embed a malformed bitmap. When loaded in a GDI+ client (e.g. Microsoft Office), it will clearly display contents of uninitialized heap memory. An example result of inserting it into a blank presentation in PowerPoint 2013 four times is illustrated in the attached screenshot.

The above analysis was performed using the gdiplus.dll file found in C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll on a fully patched Windows 7 64-bit operating system (md5sum c861ee277cd4e2d914740000161956ef).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

poc.emf
41.8 KB Download

	screenshot.png 142 KB View Download

Project Member Comment 1 by mjurczyk@google.com, May 19 2016

Labels: -Reported-2016-May-17 Reported-2016-May-19

Project Member Comment 2 by mjurczyk@google.com, Jul 26 2016

Labels: MSRC-33521

Project Member Comment 3 by mjurczyk@google.com, Jul 26 2016

Labels: -Restrict-View-Commit
Status: WontFix

Microsoft has responded that the bug does not meet the bar for a security bulletin, but a fix will be evaluated for upcoming next-version releases. Derestricting.

Project Member Comment 4 by mjurczyk@google.com, Oct 12 2016

Labels: Fixed-2016-Oct-11 Deadline-Exceeded CVE-2016-3262
Status: Fixed

We discovered that this bug was also remotely exploitable through Office Online. As a result, MSRC reconsidered their decision and fixed the issue in a security bulletin: https://technet.microsoft.com/library/security/MS16-120.

► Sign in to add a comment