Cisco Talos reveals inner depths of now-patched Windows disk image security flaw
Who doesn't like rummaging around in DLL files?
Cisco's security limb Talos has detailed a Windows vulnerability it reported to Microsoft – a bug that was duly fixed in June's Patch Tuesday dump.
The flaw, CVE-2018-8210, was discovered and flagged up to Redmond in March by Marcin "Icewall" Noga at Talos. It was detailed here, and here in depth, by Cisco on Tuesday this week. Microsoft's advisory is here.
Microsoft rated this programming cockup at 7.3 on the CVSSv3 score chart, whereas Talos thought it was a little more serious and nudged it up to 8.8.
It basically involves buggy parsing of metadata within Windows Imaging Format (WIM) files, which are compressed disk images. According to Team Talos:
If an attacker creates a specially crafted WIM file, they could be able to execute malicious code with the same access rights as the logged-in user, or just crash the system with a denial-of-service attack. The vulnerability is related to the file header parsing, which means it gets triggered even on simple operations. WIM files do not have a registered file type handler by default, which means that this vulnerability cannot be triggered by tricking a user into double-clicking a WIM file — at least not without registering a file-handler first.
In other words, you have to get a mark to open a booby-trapped file in an application configured to open the disk images in order to achieve remote code execution. Still, the technical portion of Talos' disclosure is a decent piece of reverse engineering of the wimgapi DLL responsible for the vulnerability. ®
Editor's note: This story was revised after publication to clarify that Talos privately reported the bug to Microsoft in March, the issue was fixed in June's Patch Tuesday, and details were revealed this week as per coordinated disclosure.