CVE-2017-0038
published 2017-02-20CVE-2017-0038: gdi32.dll in Graphics Device Interface (GDI) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server…
PriorityP352medium5.5CVSS 3.0
AVLACLPRNUIRSUCHINAN
EXPLOIT
EPSS
82.10%
99.6th percentile
gdi32.dll in Graphics Device Interface (GDI) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to obtain sensitive information from process heap memory via a crafted EMF file, as demonstrated by an EMR_SETDIBITSTODEVICE record with modified Device Independent Bitmap (DIB) dimensions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3216, CVE-2016-3219, and/or CVE-2016-3220.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect crafted EMF files containing an EMR_SETDIBITSTODEVICE record where the declared DIB dimensions (e.g. 16x16) are inconsistent with the actual bitmap data size (e.g. only 4 bytes present for a 24bpp image), indicating heap out-of-bounds read exploitation. ↗
- →Monitor for EMF files embedded in Office documents (e.g. .docx) delivered remotely, as the vulnerability can be triggered via Office Online to exfiltrate heap memory to a remote attacker. ↗
- →Flag EMF records where cbBitsSrc is smaller than the value required by the declared bitmap dimensions and bit-depth (width × height × bytes-per-pixel), specifically in EMR_SETDIBITSTODEVICE records — the missing bounds check (condition #3) is the root cause. ↗
- →Audit all EMF DIB-embedding record handlers for missing bounds checks on offBmiSrc, cbBmiSrc, offBitsSrc, cbBitsSrc fields; affected record types include EMR_ALPHABLEND, EMR_BITBLT, EMR_MASKBLT, EMR_PLGBLT, EMR_STRETCHBLT, EMR_TRANSPARENTBLT, EMR_SETDIBITSTODEVICE, EMR_STRETCHDIBITS, EMR_CREATEMONOBRUSH, EMR_EXTCREATEPEN. ↗
- ·The vulnerability is an incomplete fix for prior CVEs; systems patched for MS16-074 (CVE-2016-3216, CVE-2016-3219, CVE-2016-3220) may still be vulnerable via EMR_SETDIBITSTODEVICE specifically, as that record's handler was not fully remediated. ↗
- ·Exploitation does not require local logon in all scenarios — the MSRC description references a locally run application, but the researcher confirmed remote exploitation via Office Online with a crafted .docx, meaning network-accessible GDI rendering surfaces are also an attack vector. ↗
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_msrc4.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hv82-656f-m543: gdi32
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2017-0038 [MEDIUM] CWE-200 GHSA-hv82-656f-m543: gdi32
gdi32.dll in Graphics Device Interface (GDI) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to obtain sensitive information from process heap memory via a crafted EMF file, as demonstrated by an EMR_SETDIBITSTODEVICE record with modified Device Independent Bitmap (DIB) dimensions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3216, CVE-2016-3219, and/or CVE-2016-3220.
Microsoft
Windows GDI Information Disclosure Vulnerability
vendor_msrc·2017-03-14·CVSS 4.4
CVE-2017-0038 [MEDIUM] Windows GDI Information Disclosure Vulnerability
Windows GDI Information Disclosure Vulnerability
Description: A Win32k information disclosure vulnerability exists when the Windows GDI component improperly discloses kernel memory addresses. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.
To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.
The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.
FAQ: Does this release cont
No detection rules found.
http://www.securityfocus.com/bid/96023http://www.securitytracker.com/id/1037845https://0patch.blogspot.com/2017/02/0patching-0-day-windows-gdi32dll-memory.htmlhttps://bugs.chromium.org/p/project-zero/issues/detail?id=992https://github.com/k0keoyo/CVE-2017-0038-EXP-C-JShttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0038https://www.exploit-db.com/exploits/41363/http://www.securityfocus.com/bid/96023http://www.securitytracker.com/id/1037845https://0patch.blogspot.com/2017/02/0patching-0-day-windows-gdi32dll-memory.htmlhttps://bugs.chromium.org/p/project-zero/issues/detail?id=992https://github.com/k0keoyo/CVE-2017-0038-EXP-C-JShttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0038https://www.exploit-db.com/exploits/41363/
2017-02-20
Published