FelineKeeper/CVE-2025-50165-Windows-Graphics-Component-RCE

GitHub: FelineKeeper/CVE-2025-50165-Windows-Graphics-Component-RCE

Stars: 0 | Forks: 0

# Windows Graphics Component RCE

CVE CVSS Windows WIC PoC

Windows Imaging Component · uninitialized JPEG encode pointers · 12/16-bit re-encode

Attack flow · Bio · TL;DR · Root cause · Patch · References

## 🎯 Attack flow & PoC 1. **Craft JPEG payload**: Use non-standard bit depth (12/16-bit) to ensure the vulnerable code path is hit during compression. Heap spraying is used to allocate chunks (e.g., size ~0x3ef7) with controlled data, such as ROP chains. 2. **Heap Manipulation**: Free chunks to make them available for reuse as a "victim chunk." This allows control over the uninitialized function pointer. 3. **Trigger Dereference**: During `jpeg_finish_compress`, the pointer is called, hijacking control flow (RIP control). 4. **ROP Chain and Shellcode**: Use a stack pivot gadget to redirect to the ROP chain. The ROP allocates RWX memory (e.g., via `VirtualAlloc`), copies shellcode, and executes it. - **Craft JPEG payload** (pop calc PoC) python poc_gen.py - Open the JPEG payload generated in `poc` folder with Photos, Office, Edge preview, etc. ### Quick pipeline | Step | Action | Output | |:----:|--------|--------| | **0** | Vulnerable **24H2** VM (no Aug 2025 patch) | `WindowsCodecs.dll` < `10.0.26100.4851` | | **1** | **Craft JPEG payload** (pop calc PoC) | `poc\malicious.jpg` (or similar) | | **2** | **Open payload** in a WIC host app | Thumbnail / re-encode → trigger | | **3** | Observe | `calc.exe` spawns **or** crash in `jpeg_finish_compress` | ### Under the hood (same flow, technical view) python poc.py → poc/*.jpg │ ▼ User opens in Photos / Office / Edge / Explorer │ ▼ WindowsCodecs.dll ──► DECODE ✅ │ ▼ Re-encode / THUMBNAIL ──► jpeg_finish_compress() │ ▼ CALL [uninitialized compress_data_12 | _16] │ ▼ pop calc 💥 (or crash @ 0xBAADF00D) ## 📖 Bio **CVE-2025-50165** (codename **WICBreak**) is a **CVSS 9.8 Critical** flaw in Microsoft’s **Windows Imaging Component** (`WindowsCodecs.dll`). It lives in the JPEG **compression** path: when Windows **re-encodes** or builds a **thumbnail** from a rare **12-bit or 16-bit** image, it can call **uninitialized function pointers** (`compress_data_12` / `compress_data_16`) inside `jpeg_finish_compress` — turning a mundane picture format into a potential **remote code execution** primitive. Microsoft patched it in **August 2025** for **Windows 11 24H2** and **Windows Server 2025**; [Zscaler](https://www.zscaler.com/blogs/security-research/cve-2025-50165-critical-flaw-windows-graphics-component) and [ESET](https://www.welivesecurity.com/en/eset-research/revisiting-cve-2025-50165-critical-flaw-windows-imaging-component/) showed the headline “open a JPG, get owned” oversells it — **viewing** usually stays safe, but **encode and thumbnail pipelines** deserve the spotlight. ### One-liner ## ⚡ TL;DR | | | |---|---| | **What** | Uninitialized function pointers in **`WindowsCodecs.dll`** during **JPEG compression** | | **PoC** | `python poc.py` → open `poc/*.jpg` in Photos / Office / Edge | | **When it fires** | App **re-encodes** or builds a **thumbnail** from a **12-bit or 16-bit** JPEG | | **Score** | **9.8 Critical** — `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` | | **Affected** | **Windows 11 24H2** & **Windows Server 2025** before **10.0.26100.4851** | | **Fix** | August 2025 Windows Update → [MSRC guide](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50165) | ## 🔬 Root cause | Item | Detail | |------|--------| | **DLL** | `WindowsCodecs.dll` | | **Function** | `jpeg_finish_compress` | | **Bug** | `compress_data_12` / `compress_data_16` **never initialized** before dereference | | **Trigger** | **12-bit or 16-bit** JPEG during **encode** (`data_precision` = 12 or 16) | | **Tell** | Crash / heap may show **`0xBAADF00D`** (uninitialized CRT fill) | | **Patch** | Pointers set to `rawtranscode_compress_output_16` (DLL **≥ 10.0.26100.4946**) | ## 🧠 Myth vs reality | Myth | Reality | |------|---------| | “Opening any malicious JPG = instant RCE” | **Decode/view** usually **does not** hit the bug — **re-encode** does | | “`python poc.py` alone pwns the box” | You still need a **WIC host** to **thumbnail / save** the `poc` image | | “CVSS 9.8 = worm tomorrow” | Reliable exploit needs **heap grooming** + **info leak** ([ESET](https://www.welivesecurity.com/en/eset-research/revisiting-cve-2025-50165-critical-flaw-windows-imaging-component/)) | | “Patch optional on desktops” | **Server 2025** + **24H2** fleets: treat as **P0** | ## 📊 At a glance | Field | Value | |--------|--------| | **CVE** | [CVE-2025-50165](https://nvd.nist.gov/vuln/detail/CVE-2025-50165) | | **Codename** | **WICBreak** | | **Component** | `WindowsCodecs.dll` (WIC) | | **Weakness** | [CWE-822](https://cwe.mitre.org/data/definitions/822.html) · [CWE-908](https://cwe.mitre.org/data/definitions/908.html) | | **Research** | [Zscaler](https://www.zscaler.com/blogs/security-research/cve-2025-50165-critical-flaw-windows-graphics-component) · [ESET](https://www.welivesecurity.com/en/eset-research/revisiting-cve-2025-50165-critical-flaw-windows-imaging-component/) | ## 💥 Impact | Dimension | Microsoft | Researchers | |-----------|-----------|-------------| | **Confidentiality** | High | Depends on app context + exploit | | **Integrity** | High | Arbitrary code in WIC consumer process | | **Availability** | High | **Crash is easy**; stable RCE is harder | | **Delivery** | Network (CVSS) | Often **file** → local WIC | ## 🖥️ Who is affected | Product | Vulnerable | Patched (min) | |---------|------------|---------------| | **Windows 11 24H2** | < **10.0.26100.4851** | ≥ **10.0.26100.4851** | | **Windows Server 2025** | < **10.0.26100.4851** | ≥ **10.0.26100.4851** | ## ✅ Patch now 1. Deploy **August 2025** (or later) cumulative updates. 2. Confirm OS build **≥ 10.0.26100.4851**. 3. Re-test PoC on patched VM — **calc should not spawn**. | Mitigation | Priority | |------------|----------| | Install Microsoft security updates | **P0** | | Block untrusted Office macros / external content | High | | Standard user for office workloads | High | ### Detection ideas - WER / dumps: fault in `WindowsCodecs.dll` @ `jpeg_finish_compress` - Unexpected `calc.exe` child of Photos / Office / `dllhost` - Rare **12/16-bit** JPEG in email attachments ## 🔗 References - [Microsoft MSRC — CVE-2025-50165](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50165) - [NVD — CVE-2025-50165](https://nvd.nist.gov/vuln/detail/CVE-2025-50165) - [ESET — Revisiting CVE-2025-50165](https://www.welivesecurity.com/en/eset-research/revisiting-cve-2025-50165-critical-flaw-windows-imaging-component/) - [Zscaler ThreatLabz](https://www.zscaler.com/blogs/security-research/cve-2025-50165-critical-flaw-windows-graphics-component) - [WIC JPEG re-encode docs](https://learn.microsoft.com/en-us/windows/win32/wic/-wic-codec-jpegmetadataencoding) ## ⚠️ Disclaimer For **authorized lab research** and patch validation only. Test only systems you own or may assess. Do not distribute or use this PoC against production environments.

CVE-2025-50165 · WICBreak