Researchers at Core Security say they have identified a security vulnerability in the Visual Component Library (VCL) that affects apps developed with Delphi and C++ Builder.
In an advisory released today, the security firm revealed that an attacker is able to trigger a buffer overflow and possibly execute arbitrary code with the aid of malformed BMP files processed through affected programs. By exploiting this security hole, an attacker could execute code with the permissions of the user running the vulnerable application.
The vulnerability, discovered as part of Core Security’s internal research efforts, impacts software developed with Embarcadero C++Builder XE6 version 20.0.15596.9843, Embarcadero Delphi XE6 version 20.0.15596.9843, and possibly other 32bit and 64 bit versions. The VCL is a component-based object-oriented framework that’s utilized for developing the user interface of Windows applications, and it is integrated by default in these development environments.
According to Flavio De Cristofaro, vice president of engineering for professional products at Core Security, the Embarcadero products have been used by financial institutions, healthcare organizations and companies in several other industries to develop homegrown applications.
There are three main conditions that must be met for the vulnerability to be exploited: the application must be built using affected software; the application must use VCL to handle BMP files; and, since the attack would be on the client side, interaction from the victim is required. On the other hand, some applications could be exploited remotely if they allow a remote user to upload the malformed BMP files.
“Users will need to check for newer versions of the software that includes the fix to the affected software component and, per our understanding, they would need to recompile the code using the new version of the software. An alternative affected users may consider is replacing the affected component (VCL) with an equivalent package for handling images,” explained De Cristofaro.
“Also, if affected users do not have the source code or are not willing to recompile the program, they can use other third-party software such as Sentinel or EMET that could help to prevent the exploitation of affected systems to some extent. We recommend contacting Embarcadero for further support,” he added.
While the latest versions of Windows incorporate features that can limit the exploitation of the vulnerability, Core Security claims it has created some proof-of-concepts that work on these operating systems as well.
Update: Embarcadero representatives told SecurityWeek that a patch has been made available for this vulnerability. Users of Delphi and C++ Builder XE6 are advised to apply a hotfix, while users of prior versions can address the issue by making some changes in the VCL source code and adding the modified file to their applications.