From 5102750d637501d61a8245e93eeecc430272b430 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Sun, 2 Nov 2025 18:30:50 +0000
Subject: [PATCH] Add content from: Drawn to Danger: Windows Graphics
 Vulnerabilities Lead to Re...

---
 ...tructural-file-format-exploit-detection.md | 122 +++++++++++++++++-
 .../css-injection/less-code-injection.md      |   7 +-
 2 files changed, 125 insertions(+), 4 deletions(-)

diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md
index 077cfe2f11d..1bcb7fe8f45 100644
--- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md
+++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md
@@ -90,7 +90,7 @@ Structural signals:
 Pseudo‑logic:
 
 ```pseudo
-# Flag undocumented TrueType opcodes leveraged by TRIANGULATION
+# Flag undocumented TrueType bytecode leveraged by TRIANGULATION
 switch opcode:
   case 0x8F, 0x90:
     mark_malicious("Undocumented TrueType bytecode")
@@ -131,10 +131,123 @@ Notes:
 
 ---
 
+## EMF/EMF+ – Windows GDI/GDI+ structural exploitation patterns (CVE‑2025‑30388/53766/47984)
+
+Target: EMF/EMF+ files parsed by Windows GDI/GDI+ (gdi32full.dll, GdiPlus.dll) in document viewers, Office, preview/thumbnail pipelines. Several vulnerable paths are reachable via GdipGetImageThumbnail with minimal interaction.
+
+General tip: Build a minimal EMF(+)/EMF+ parser that walks records and validates declared bounds and offsets against the EMF header rclBounds/rclFrame and EMF+/object state.
+
+### 1) EMF+ clipping state corruption → OOB R/W (CVE‑2025‑30388)
+
+Structural signals:
+- EmfPlusSetTSClip (Type 0x403A) contains invalid RECTs (zero/negative width/height, swapped edges, or extreme coordinates far outside EMF header bounds) that poison the internal clipping state.
+- Followed soon after by scan‑based draw ops such as EmfPlusDrawString, EmfPlusFillRects, EmfPlusFillClosedCurve.
+- Often preceded by EmfPlusClear (Type 0x4009) with ARGB where A=0xFF (alpha multiply preserves RGB), giving control of the 4‑byte value written by AlphaMultiply_sRGB.
+
+<details>
+<summary>Pseudo‑logic: Detect invalid TSClip + draw op chain</summary>
+
+```pseudo
+for each record i:
+  if is_EmfPlusClear(i) and alpha(i.color) == 0xFF:
+    seen_clear = true
+  if is_EmfPlusSetTSClip(i):
+    invalid = false
+    for rect in i.Rects:
+      if not (rect.left < rect.right and rect.top < rect.bottom):
+        invalid = true
+      # Optional: clamp against EMF header bounds with tolerance
+      if rect.top < minY - M or rect.left < minX - M or rect.bottom > maxY + M or rect.right > maxX + M:
+        invalid = true
+    if invalid:
+      # look ahead a small window for risky scan operations
+      if exists j in [i+1, i+K] where is_DrawString/FillRects/FillClosedCurve(j):
+        mark_malicious("EMF+ invalid TSClip followed by scan op" + (seen_clear ? " (prefilled color)" : ""))
+```
+
+</details>
+
+Practical triage:
+- Parse EMF header rclBounds/rclFrame; parse EMF+ comment/records and extract EmfPlusSetTSClip rectangles.
+- Validate rectangle ordering and ensure coordinates are finite and within plausible range; flag when followed by draw ops within a small window (K ~ 32 records).
+- If an EmfPlusClear with A=0xFF is observed immediately before, raise severity (attacker‑controlled dword for OOB writes/reads).
+
+Notes:
+- Crashes observed in GdiPlus ScanOperation::AlphaMultiply_sRGB, Blend_sRGB_sRGB_MMX and EpAntialiasedFiller::OutputSpan when operating past end of small heap spans.
+- Affects Office (Windows/Mac/Android) and thumbnailers using GDI+.
+
+### 2) EMF+ scan‑line height overrun → OOB write (CVE‑2025‑53766)
+
+Structural signals:
+- EmfPlusDrawRects contains rectangles whose Y/height extend beyond the destination bitmap height implied by header bounds or a known thumbnail target (e.g., 100×100).
+- Preceded by an EmfPlusObject defining a solid EmfPlusPen/Brush (ARGB) that controls the dword later stored by AlphaDivide_sRGB.
+
+Pseudo‑logic:
+
+```pseudo
+# Detect rectangles that exceed surface height by a large margin
+surface = derive_surface_from_header_or_default(thumb=100)
+for rec in records:
+  if is_EmfPlusDrawRects(rec):
+    for r in rec.RectData:
+      if r.height <= 0 or r.width <= 0:
+        continue  # malformed, treat as suspicious elsewhere
+      if r.y + r.height > surface.height + T:   # T = tolerance (e.g., 8)
+        if seen_solid_pen_recently(window=L):
+          mark_malicious("EMF+ DrawRects exceeds surface height with solid pen")
+        else:
+          mark_suspicious("EMF+ DrawRects exceeds surface height")
+```
+
+Practical triage:
+- Use EMF header rclBounds/rclFrame to estimate the drawing surface; if file is known to hit thumbnailers, also test against 100×100.
+- Track recent EmfPlusObject/EmfPlusPen with SolidColor brush to strengthen the signal.
+- Large repeated constants or many rectangles sharing extreme coordinates are a red flag.
+
+Notes:
+- Root cause was lack of clamping in EpScanBitmap::NextBuffer(); post‑patch implementations trim requested scan‑lines to the destination height.
+- OOB dword equals the solid ARGB configured in the preceding pen/brush.
+
+### 3) EMR_STARTDOC string offsets → OOB read/info leak (CVE‑2025‑47984)
+
+Structural signals:
+- In EMR_STARTDOC (Type 0x6B), DOCINFO offsets (lpszDocName, lpszOutput) that either do not point within the record or are not NUL‑terminated within the remaining bytes.
+- Offset arithmetic that only validates against the original base, not after advancing past the first string, allowing a second offset to appear valid yet reference past‑record memory.
+- Small EMF_HEADER.nBytes compared to embedded data can increase over‑read likelihood (heap block smaller than embedded strings).
+
+Pseudo‑logic:
+
+```pseudo
+# Validate string offsets inside EMR_STARTDOC
+base = start_of_record
+end  = base + record.Size
+ptr1 = base + docinfo.lpszDocName
+if not (base <= ptr1 < end) or not nul_terminated(ptr1, end):
+  mark_malicious("Invalid lpszDocName")
+
+# Recompute from record base for the second offset and re‑validate
+ptr2 = base + docinfo.lpszOutput
+if not (base <= ptr2 < end) or not nul_terminated(ptr2, end):
+  mark_malicious("Invalid lpszOutput (past end or unterminated)")
+```
+
+Practical triage:
+- Parse EMR_STARTDOC, recompute all pointer‑like offsets relative to the start of the record, and ensure they are NUL‑terminated within the record boundary.
+- Flag records where either offset validation fails or where the computed string length would require reading beyond the record.
+
+Notes:
+- This pattern reflects an incomplete fix for CVE‑2022‑35837; patched gdi32full re‑validates both offsets relative to the record start and enforces termination.
+
+Operational signals helpful for sandbox correlation:
+- Representative call chains: EnumEnhMetaFile → GDI+/MetafilePlayer → GpGraphics::DrawImage → GdipGetImageThumbnail.
+- Crashes/telemetry in gdiplus (AlphaMultiply_sRGB, AlphaDivide_sRGB, EpScanBitmap::NextBuffer) and gdi32full (StringLengthWorkerW) while parsing untrusted EMF/EMF+.
+
+---
+
 ## Implementation patterns and performance
 
 A practical scanner should:
-- Auto‑detect file type and dispatch only relevant analyzers (PDF/JBIG2, WebP/VP8L, TTF, DNG/TIFF)
+- Auto‑detect file type and dispatch only relevant analyzers (PDF/JBIG2, WebP/VP8L, TTF, DNG/TIFF, EMF/EMF+)
 - Stream/partial‑parse to minimize allocations and enable early termination
 - Run analyses in parallel (thread‑pool) for bulk triage
 
@@ -179,5 +292,10 @@ $ elegant-bouncer --tui --scan /path/to/samples
 - [Researching BLASTPASS – Analysing the Apple & Google WebP PoC file (Part 2)](https://www.msuiche.com/posts/researching-blastpass-analysing-the-apple-google-webp-poc-file-part-2/)
 - [Researching TRIANGULATION – Detecting CVE‑2023‑41990 with single‑byte signatures](https://www.msuiche.com/posts/researching-triangulation-detecting-cve-2023-41990-with-single-byte-signatures/)
 - [CVE‑2025‑43300: Critical vulnerability found in Apple’s DNG image processing](https://www.msuiche.com/posts/cve-2025-43300-critical-vulnerability-found-in-apples-dng-image-processing/)
+- [Drawn to Danger: Windows Graphics Vulnerabilities Lead to Remote Code Execution and Memory Exposure (Check Point Research)](https://research.checkpoint.com/2025/drawn-to-danger-windows-graphics-vulnerabilities-lead-to-remote-code-execution-and-memory-exposure/)
+- [MS‑EMF+: EmfPlusSetTSClip](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-emfplus/0dfb6f4f-e53c-413b-80cf-57a3cadd5d38)
+- [MS‑EMF+: EmfPlusDrawString](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-emfplus/ae7927c3-e416-4069-a9b8-3200113d6c41)
+- [MS‑EMF+: EmfPlusRect / EmfPlusDrawRects / EmfPlusObject / EmfPlusPen](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-emfplus/8d510051-eeb2-482f-9964-e9cd1dad6fca)
+- [RECT structure](https://learn.microsoft.com/en-us/windows/win32/api/windef/ns-windef-rect)
 
 {{#include ../../../banners/hacktricks-training.md}}
\ No newline at end of file
diff --git a/src/pentesting-web/xs-search/css-injection/less-code-injection.md b/src/pentesting-web/xs-search/css-injection/less-code-injection.md
index b9d599deb30..6d338df2b68 100644
--- a/src/pentesting-web/xs-search/css-injection/less-code-injection.md
+++ b/src/pentesting-web/xs-search/css-injection/less-code-injection.md
@@ -1,4 +1,6 @@
-## LESS Code Injection leading to SSRF & Local File Read
+# LESS Code Injection leading to SSRF & Local File Read
+
+{{#include ../../../banners/hacktricks-training.md}}
 
 LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive.  During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
 
@@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
 
 * [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
 * [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
-* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
\ No newline at end of file
+* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
+{{#include ../../../banners/hacktricks-training.md}}