- Language: English
- Conference: Ruxcon
- Location: Melbourne, Australia
- Date: October 2016
- Speaker(s): Mateusz ‘j00ru’ Jurczyk
- Full slide deck (combined slides from Ruxcon and PacSec): https://j00ru.vexillium.org/slides/2016/metafiles_full.pdf
- Ruxcon slides: https://j00ru.vexillium.org/slides/2016/ruxcon.pdf
The 16-bit Windows Metafile (WMF) image file format has been present in the Microsoft software ecosystem since 1990. It remained a fundamental format until 1993, when 32-bit Enhanced Metafiles (EMF) were introduced in the Win32 GDI, eliminating many of the original format’s limitations and significantly extending it. Since then, another derivative format called EMF+ was added in Windows XP, but all of them have been in decline for the last 15 years, in favor of other raster image representations such as BMP, JPEG, PNG or even TIFF.
However, it would be wrong to believe that Metafiles completely went away into oblivion and are no longer a valid attack vector or something to take interest in as a security engineer. They are still supported by Internet Explorer, are the native image storage format in Microsoft Office, and play an essential role in Print Spooling. For these reasons, the metafile formats (but especially EMF) should not be forgotten, and their most widespread implementations in GDI and GDI+ kept at a high quality level.
Internally, metafiles are collections of records instructing the parser which GDI (or GDI+, in case of EMF+) API functions to call, and what parameters to pass to them. In other words, images encoded as metafiles can be thought of as simple GDI-only programs. For any bughunter aware of the complexities of the interface, this sounds like a dream: so many corner cases and conditions to validate against that it’s very unlikely for any implementation to get it completely right. One such commonly known bug was the WMF SetAbortProc vulnerability discovered on December 27, 2005, which took advantage of a documented feature to overwrite a GDI function pointer with the address of attacker-controlled data and have it called, effectively resulting in a reliable arbitrary code execution.
Have GDI and other relevant libraries been thoroughly audited since that incident? Are there any more such critical bugs lurking in the code bases? To what extent can EMF files interact with the operating system? The goal of this talk is to address these questions by discussing the results of my recent research in this area, including detailed analysis of the discovery and exploitation of multiple amusing security flaws, many of which are still not patched at the time of this writing.
- Blog post – Slides about my Windows Metafile research and fuzzing now public
- Detailed bug reports – Google Project Zero bug tracker