Advantech TP-3250 Printer Driver Heap Corruption Vulnerability in DrvUI_x64_ADVANTECH.dll

A heap corruption vulnerability has been identified in the Advantech TP-3250 printer driver, specifically in the DrvUI_x64_ADVANTECH.dll version 0.3.9200.20789. The vulnerability arises when the DocumentPropertiesW() function is called with a valid dmDriverExtra value but an undersized output buffer. The driver incorrectly assumes that the output buffer size is equal to the input buffer size, leading to invalid memory operations and heap corruption. This vulnerability can cause a denial-of-service by crashing applications and potentially allow code execution in user space. Exploitation requires local access.

Impact

Exploitation of this vulnerability causes heap corruption, leading to application crashes. However, this heap corruption occurs in user space, allowing the possibility of code execution, as demonstrated by the published proof of concept.

Reproduction

The vulnerability can be reproduced by compiling a C program that uses the Windows Print Spooler API. The program must open a handle to the TP 3250 printer and then call the DocumentPropertiesW function with a valid DEVMODEW structure. The DEVMODEW structure should include an oversized dmDriverExtra value and an undersized output buffer. When DocumentPropertiesW is called, the driver will mishandle the buffer sizes, causing heap corruption. After the function call, the application will crash, and a crash dump will reveal the heap corruption error.