cbcvebase.
CVE-2016-0170
published 2016-05-11

CVE-2016-0170: GDI in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and…

PriorityP274high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
48.59%
98.7th percentile
GDI in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted document, aka "Windows Graphics Component RCE Vulnerability."

Affected

14 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

filenamegdi32.dll
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39834.zip
registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • Detect heap buffer overflow triggered via EMR_EXTESCAPE EMF record processed by gdi32.dll ExtEscape(); monitor for crafted EMF files using the EMR_EXTESCAPE record type with cjInput values in the range of -23 to -1 (0xFFFFFFE9–0xFFFFFFFF) to trigger integer overflow in allocation size
  • Monitor call stack for ntdll!memcpy called from GDI32!ExtEscape, GDI32!MRESCAPE::bPlay, and GDI32!PlayEnhMetaFileRecord — this chain is indicative of exploitation via a crafted EMF document
  • Monitor for exploitation via POSTSCRIPT_IDENTIFY or POSTSCRIPT_INJECTION escape codes in ExtEscape() calls on printer Device Contexts, which are the vulnerable code paths for this heap overflow
  • Flag delivery of crafted EMF/document files via email attachments or web links; the Preview Pane in affected Microsoft Office products is also an attack vector and should be monitored
  • ·The workaround registry key DisableMetaFiles=1 disables metafile processing system-wide and may break printing, Clipart display, and OLE rendering — evaluate carefully before deploying
  • ·The vulnerability affects both 32-bit and 64-bit builds of gdi32.dll; POC was confirmed on 64-bit Windows 7 using a 32-bit process

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.