Windows GDI flaw leads to PowerShell attacks

A critical vulnerability in the Windows GDI (graphics device interface) that Microsoft patched in its latest round of security updates was exploited by a sophisticated attack group to escape browser-based sandboxes and remotely execute malicious code, according to Kaspersky Lab.

Windows GDI is an API that helps applications work with graphics and formatted text on video displays and printers. The remote code execution flaw stemmed from how GDI handled objects in memory (CVE-2016-3393), and the issue has been addressed in critical bulletin (MS16-120), Microsoft said. The vulnerability affected all supported versions of Windows operating system, Microsoft Office 2007 and Office 2010, Skype for Business 2016, Silverlight, .Net Framework, Microsoft Lync 2013, and Microsoft Lync 2010.

An attacker could exploit the vulnerability by tricking a user into visiting a malicious website and clicking on the booby-trapped link, opening a maliciously crafted document sent as an email attachment, or executing a specially rigged file, Microsoft said.

Anton Ivanov, the Kaspersky Lab researcher who reported the flaw to Microsoft in September, found that known advanced persistent threat (APT) group FruityArmor was using this vulnerability as part of a browser-based exploit chain to gain elevated privileges and escape the browser sandbox. FruityArmor relies on Windows Management Instrumentation storage to maintain persistence on infected machines, and on PowerShell to carry out its attacks.

“Since many modern browsers are built around sandboxes, a single exploit is generally not sufficient to allow full access to a targeted machine,” Ivanov wrote in a summary on Kaspersky Lab’s Securelist.

FruityArmor tricked victims into visiting a malicious page containing a browser-based exploit. The main goal of this module is to load a specially crafted TTF font file containing the exploit to trigger the Windows GDI flaw. With a successful compromise, a second-stage payload uses elevated privileges to execute PowerShell with a meterpreter-style script in order to connect to a command-and-control server and receive additional instructions and executables.

Both the primary malware implant and commands sent by the C&C operators are written in PowerShell, Ivanov said. The implant and the malicious TTF font reside and execute in memory, making them difficult to detect. Many attackers are shifting to fileless malware, where the malicious code executes entirely in memory, to evade detection.

The attacker can cause an integer overflow condition in the cjComputeGLYPHSET_MSFT_GENERAL function from the Win32k.sys system module, where the vulnerability exists. By making a specific segment range in the font file, the attacker can then access “interesting memory,” Ivanov said. Though font processing in Windows 10 requires a special user mode process with restricted privileges, the flaw in TTF processing causes fontdrvhost.exe to crash.

While every organization has different patching requirements, IT departments should prioritize patching critical updates. When the vulnerabilities are exploited in the wild, as this remote code execution flaw in Windows GDI is, it should definitely be a priority. Attackers continue to see a lot of success targeting vulnerabilities that already have patches available because not all systems get updated in a timely manner. This was why Ivanov refrained from discussing the vulnerability in depth.

“Please keep in mind that we will not be publishing all the details about this vulnerability because of the risk that other threat actors may use them in their attack,” Ivanov wrote.