cbcvebase.
CVE-2016-0169
published 2016-05-11

CVE-2016-0169: GDI in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and…

PriorityP356medium6.5CVSS 3.0
AVNACLPRNUIRSUCHINAN
EXPLOIT
EPSS
43.25%
98.6th percentile
GDI in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows remote attackers to obtain sensitive information via a crafted document, aka "Windows Graphics Component Information Disclosure Vulnerability," a different vulnerability than CVE-2016-0168.

Affected

14 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

filenamepoc3.emf
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39833.zip
pathC:\Windows\SysWOW64\gdi32.dll
registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • Detect crafted EMF files with anomalously large EMR_COMMENT_MULTIFORMATS.CountFormats or Size fields (e.g. 0x70707070) that trigger integer overflow in MRGDICOMMENT::bPlay() leading to heap out-of-bounds read in gdi32.dll
  • Monitor for access violations or crashes in GDI32!MRGDICOMMENT::bPlay, GDI32!MF_GdiComment, or GDI32!PlayEnhMetaFileRecord call stacks, which indicate exploitation of the COMMENT_MULTIFORMATS EMF record parsing bug
  • Flag documents or web pages that trigger PlayEnhMetaFile() with EMF files containing COMMENT_MULTIFORMATS records, particularly when delivered via Internet Explorer or Office documents
  • ·The DisableMetaFiles registry workaround applies only to Windows Vista and Windows Server 2008; it is not applicable to all affected OS versions listed in the CVE
  • ·Enabling DisableMetaFiles=1 will break printing and OLE rendering and may cause significant application functionality loss; test carefully before deploying
  • ·The exploit analysis was performed on a 32-bit (SysWOW64) gdi32.dll; behavior on 64-bit native gdi32.dll may differ

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_msrc6.5HIGH
vendor_redhat2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.