❌

Reading view

There are new articles available, click to refresh the page.

How to mitigate symbolic link attacks on Windows?

TL;DR SymlinkProtect is a custom minifilter driver for Windows written in C++. It is loaded into the file system driver stack as a filter driver. This allows it to monitor user-mode applications and block malicious attempts to set a reparse point on a directory creating a mount point to some suspicious targets like \RPC Control. Motivation Microsoft have recently added hard link mitigation to Windows and they are also actively working on mitigations for other attacks involving file path redirection through junctions or mountpoints.

NULL pointer dereference in Windows GDI bParseWin32MetaFile

TL;DR A denial of service vulnerability exists when Windows GDI improperly handles objects in memory. Converting a specially crafted EMF file to a WMF may trigger a read access violation due to a NULL pointer dereference and could allow denial of service. Description It seems that calling Metafile::EmfToWmfBits() method on a specially crafted EMF file may lead to memory corruption triggered by bGetNextRecord() called by the bParseWin32Metafile() function. The below is the relevant excerpt of the crash analysis from WinDbg:

Write access violation in Windows GDI DocumentEvent

TL;DR A denial of service vulnerability exists when Windows GDI improperly handles objects in memory. Processing a specially crafted picture may trigger a write access violation exception when the device context is associated with a printer. Description While looking into old vulnerabilities related to GDI+ I have encountered a write access violation similar to CVE-2016-0169 and CVE-2016-0170. Calling PlayEnhMetaFile() with a printer device and a specially crafted EMF file may lead to memory corruption triggered by the PROXYPORT::DocumentEvent() function.
❌