Microsoft Patches Code Execution Vulnerability in wimgapi Library
16.6.18 securityweek
Vulnerebility

Microsoft this week patched a remote code execution vulnerability affecting the wimgapi library, which is used to perform operations on Windows Imaging Format (WIM) files.

Addressed as part of Microsoft’s June 18 Patch Tuesday, the issue was discovered by Talos’ Marcin Noga in the LoadIntegrityInfo functions of wimgapi version 10.0.16299.15 (WinBuild.160101.0800). An attacker exploiting the flaw could use a specially crafted WIM image to cause heap corruption and achieve direct code execution.

Tracked as CVE-18-8210, the vulnerability resides in the DLL used to perform operations on the file-based disk image format that Microsoft created to simplify the deployment of Windows systems. The bug manifests in the LoadIntegrityInfo function when a WIM file header is parsed and can be triggered “even on the simplest operations performed on malformed WIM file,” the researcher says.

“For example, it is enough if an application tries to open the WIM file via the WIMCreateFile function and requests a file handle. The function allocates heap memory based on a user-controlled size value, and uses another user-controlled value to read n bytes from the file into this buffer. It is using these values without any prior input checks,” Noga explains.

An attacker exploiting the vulnerability could execute malicious code with the same access rights as the logged-in user. They could also crash the system with a denial-of-service attack, the researcher says. Because WIM files do not have a registered file type handler by default, the issue cannot be triggered if the user double-clicks a WIM file, unless a file-handler was registered first.

According to Talos, the vulnerability has a CVSSv3 score of 8.8. Microsoft, on the other hand, claims that the bug only has a CVSS score of 7.3 and that it is considered Important.

The remote code execution vulnerability “exists when Windows improperly handles objects in memory,” the software giant explains. The company also notes that an attacker able to successfully exploit the issue could control a vulnerable system.

Microsoft also adds that an attacker targeting the vulnerability “would first have to log on to the target system and then run a specially crafted application.”

To address the vulnerability, Microsoft released an update that corrects the manner in which Windows handles objects in memory. No mitigations or workarounds exist for this vulnerability, meaning that users need to install the recently released patch to keep systems safe.

Impacted products include Windows 10 (both 32-bit and 64-bit versions), Windows 8.1 (32-bit and 64-bit), Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server version 1709, and Windows Server version 1803.