Critical Delphi and C++Builder VCL library bug found
A buffer overflow vulnerability that could be exploited to execute malicious code has been discovered in the Visual Component Library (VCL) library of Embarcadero’s Delphi and C++Builder application development environments, and could, therefore, also affect applications that were built by using the software and that use the affected library.
The issue was first discovered by a Core Security researcher. “Marcos Accossatto from our Exploit Writing team detected the vulnerability on an affected application by manually changing some values in the BMP header of a sample image, later confirming the finding on a set of image handling applications,” explained Flavio De Cristofaro, the company’s VP of Engineering for Professional Products.
“While manipulating the BMP file, it was observed that some applications of the set would crash. That led us to assume a software library common to all the applications was probably responsible for the crash, which led us to the culprit.”
“C++Builder and Delphi have been used in software development for many years. Financial institutions, healthcare organizations and companies in several other industries have developed homegrown applications using these products,” he noted, and said that it’s difficult to say which specific software is affected.
The vulnerability can be exploited locally, if a user is made to open a malformed BMP file on the affected application.
“Even when a Client Side attack seems to be the most likely attack vector, some applications allow a remote user to upload malformed files. In this case, the affected application could be remotely exploitable,” De Cristofaro added.
Once the vulnerability has been exploited, the attacker has the same permission level of the user running the vulnerable app. This often translates into the capability to execute whatever program he or she wants.
The vulnerability has been patched and, depending on the Delphi and C++ Builder versions, users can do several things.
“Users will need to check for newer versions of the software that includes the fix to the affected software component and, per our understanding, they would need to recompile the code using the new version of the software,” he advised.
“An alternative affected users may consider is replacing the affected component (VCL) with an equivalent package for handling images. Also, if affected users do not have the source code or are not willing to recompile the program, they can use other third-party software such as Sentinel or EMET that could help to prevent the exploitation of affected systems to some extent.”
In any case, users should contact Embarcadero for additional information on how to fix the problem. Core Security has also offered to help companies that might need it, and has announced that they will not release proof of concept code publicly for the time being as to give affected companies enough time for patching.