cbcvebase.
CVE-2017-0038
published 2017-02-20

CVE-2017-0038: gdi32.dll in Graphics Device Interface (GDI) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server…

PriorityP352medium5.5CVSS 3.0
AVLACLPRNUIRSUCHINAN
EXPLOIT
EPSS
82.10%
99.6th percentile
gdi32.dll in Graphics Device Interface (GDI) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to obtain sensitive information from process heap memory via a crafted EMF file, as demonstrated by an EMR_SETDIBITSTODEVICE record with modified Device Independent Bitmap (DIB) dimensions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3216, CVE-2016-3219, and/or CVE-2016-3220.

Affected

17 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41363.zip
processMRSETDIBITSTODEVICE::bPlay
  • Detect crafted EMF files containing an EMR_SETDIBITSTODEVICE record where the declared DIB dimensions (e.g. 16x16) are inconsistent with the actual bitmap data size (e.g. only 4 bytes present for a 24bpp image), indicating heap out-of-bounds read exploitation.
  • Monitor for EMF files embedded in Office documents (e.g. .docx) delivered remotely, as the vulnerability can be triggered via Office Online to exfiltrate heap memory to a remote attacker.
  • Flag EMF records where cbBitsSrc is smaller than the value required by the declared bitmap dimensions and bit-depth (width × height × bytes-per-pixel), specifically in EMR_SETDIBITSTODEVICE records — the missing bounds check (condition #3) is the root cause.
  • Audit all EMF DIB-embedding record handlers for missing bounds checks on offBmiSrc, cbBmiSrc, offBitsSrc, cbBitsSrc fields; affected record types include EMR_ALPHABLEND, EMR_BITBLT, EMR_MASKBLT, EMR_PLGBLT, EMR_STRETCHBLT, EMR_TRANSPARENTBLT, EMR_SETDIBITSTODEVICE, EMR_STRETCHDIBITS, EMR_CREATEMONOBRUSH, EMR_EXTCREATEPEN.
  • ·The vulnerability is an incomplete fix for prior CVEs; systems patched for MS16-074 (CVE-2016-3216, CVE-2016-3219, CVE-2016-3220) may still be vulnerable via EMR_SETDIBITSTODEVICE specifically, as that record's handler was not fully remediated.
  • ·Exploitation does not require local logon in all scenarios — the MSRC description references a locally run application, but the researcher confirmed remote exploitation via Office Online with a crafted .docx, meaning network-accessible GDI rendering surfaces are also an attack vector.

CVSS provenance

nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_msrc4.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.