Windows Metafiles: An Analysis of the EMF Attack Surface & Recent Vulnerabilities (PacSec 2016)


  • Language: English
  • Conference: PacSec
  • Location: Tokyo, Japan
  • Date: October 2016
  • Speaker(s): Mateusz ‘j00ru’ Jurczyk



The old 16-bit Windows Metafile (WMF) image format and its successors (EMF, EMF+) are little known today, but it would be wrong to believe that they went away into oblivion and are no longer a valid attack vector. They are still supported by Internet Explorer, are the native image storage format in Microsoft Office, and play an essential role in Print Spooling. Internally, metafiles are collections of records instructing the parser which GDI functions to call, and what parameters to pass to them. For any bughunter aware of the complexities of the interface, this sounds like a dream: so many corner cases to validate against that it’s very unlikely for any implementation to get it completely right. One such commonly known bug was the WMF SetAbortProc vulnerability discovered in 2005, which took advantage of a documented feature to overwrite a GDI function pointer with the address of attacker-controlled data and have it called, effectively resulting in a reliable arbitrary code execution.

Have GDI and other relevant libraries been thoroughly audited since that incident? Are there any more such critical bugs lurking in the code bases? To what extent can EMF files interact with the operating system? The goal of this talk is to address these questions by discussing the results of my recent research in this area, including detailed analysis of the discovery and exploitation of multiple amusing security flaws.