- Language: English
- Conference: PacSec
- Location: Tokyo, Japan
- Date: October 2016
- Speaker(s): Mateusz ‘j00ru’ Jurczyk
- Full slide deck (combined slides from Ruxcon and PacSec): https://j00ru.vexillium.org/slides/2016/metafiles_full.pdf
- PacSec slides (English): https://j00ru.vexillium.org/slides/2016/pacsec.pdf
- PacSec slides (Japanese): http://www.slideshare.net/PacSecJP/jurczyk-windows-metafilepacsecjp3
The old 16-bit Windows Metafile (WMF) image format and its successors (EMF, EMF+) are little known today, but it would be wrong to believe that they went away into oblivion and are no longer a valid attack vector. They are still supported by Internet Explorer, are the native image storage format in Microsoft Office, and play an essential role in Print Spooling. Internally, metafiles are collections of records instructing the parser which GDI functions to call, and what parameters to pass to them. For any bughunter aware of the complexities of the interface, this sounds like a dream: so many corner cases to validate against that it’s very unlikely for any implementation to get it completely right. One such commonly known bug was the WMF SetAbortProc vulnerability discovered in 2005, which took advantage of a documented feature to overwrite a GDI function pointer with the address of attacker-controlled data and have it called, effectively resulting in a reliable arbitrary code execution.
Have GDI and other relevant libraries been thoroughly audited since that incident? Are there any more such critical bugs lurking in the code bases? To what extent can EMF files interact with the operating system? The goal of this talk is to address these questions by discussing the results of my recent research in this area, including detailed analysis of the discovery and exploitation of multiple amusing security flaws.
- Blog post – Slides about my Windows Metafile research and fuzzing now public
- Detailed bug reports – Google Project Zero bug tracker