cbcvebase.
CVE-2016-0168
published 2016-05-11

CVE-2016-0168: GDI in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and…

PriorityP356medium6.5CVSS 3.0
AVNACLPRNUIRSUCHINAN
EXPLOIT
EPSS
43.25%
98.6th percentile
GDI in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows remote attackers to obtain sensitive information via a crafted document, aka "Windows Graphics Component Information Disclosure Vulnerability," a different vulnerability than CVE-2016-0169.

Affected

14 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

filenameoob.emf
filenamenotepad_leak.emf
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39832.zip
registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • Detect EMF files containing an EMR_CREATECOLORSPACEW record with a cbData field at offset +0x25c that is sufficiently large to cause integer overflow (cbData + 0x263 wraps 32-bit), or where the record length is less than 0x24c (588) bytes — indicative of a crafted malicious EMF exploiting CVE-2016-0168.
  • Monitor for processes (e.g. Internet Explorer / iexplore.exe) holding an abnormally high number of GDI handles (approaching 10,000) after rendering an EMF image, which may indicate exploitation of the file-existence side-channel via EMR_CREATECOLORSPACE record flooding.
  • Monitor for outbound SMB/network connections initiated by gdi32.dll's CreateFileW call during EMF rendering — an attacker-controlled UNC path via '\?\' in lcsFilename can trigger NTLM authentication and hash theft.
  • ·The exploit technique relies on the per-process GDI handle quota being 10,000 (the Windows default). If this quota is changed, the number of EMR_CREATECOLORSPACE records required to exhaust it will differ.
  • ·The SETICMPROFILEA and SETICMPROFILEW EMF record handlers also call BuildIcmProfilePath(), and may be affected by the same path-related vulnerabilities described for CREATECOLORSPACEW.

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_msrc6.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.