POC详情: 55706fbc754333594794e498f42afa806db401e0

来源
关联漏洞
标题: Microsoft Word 安全漏洞 (CVE-2023-21716)
描述:Microsoft Word是美国微软(Microsoft)公司的一套Office套件中的文字处理软件。 Microsoft Office Word存在安全漏洞。以下产品和版本受到影响:Microsoft Office Online Server,Microsoft Office 2019 for Mac,Microsoft 365 Apps for Enterprise for 64-bit Systems,Microsoft SharePoint Enterprise Server 2016,Micr
描述
POC CVE 2023-21716
介绍
# About

CVE-2023-21716 is a critical vulnerability in Microsoft Word, specifically affecting the RTF (Rich Text Format) parsing functionality, which allows for remote code execution (RCE). Here’s a breakdown of what this vulnerability entails and why it’s significant:

## Summary of CVE-2023-21716
- **Vulnerability Type**: Remote Code Execution (RCE)
- **Affected Software**: Microsoft Word (part of Microsoft Office suite)
- **Impact**: Successful exploitation can allow an attacker to run arbitrary code on a victim’s system, potentially taking control of it.
- **Severity**: High, with a CVSS score of 9.8, indicating the vulnerability can be exploited remotely with little user interaction.

## How CVE-2023-21716 Works
The issue arises from a flaw in how Microsoft Word handles RTF files, which are commonly used for text documents. RTF documents can contain various formatting instructions, and this vulnerability specifically involves an incorrect handling of certain elements or code embedded in the document.

1. **Malformed RTF Parsing**: An attacker can craft a specially formatted RTF file that, when parsed by Microsoft Word, triggers a memory corruption error. This could allow the attacker to control program flow and execute arbitrary code.
  
2. **Remote Execution Vector**: Attackers can exploit this flaw by convincing a user to open a malicious RTF file. This can be done through email attachments, direct file sharing, or even by embedding the RTF file in a web page.

3. **Exploitation and User Interaction**: One of the critical aspects of this vulnerability is that it requires minimal user interaction. In some cases, simply previewing the malicious document in certain versions of Microsoft Outlook can trigger the exploit, as Outlook uses Word for previewing RTF files.

## Potential Impact
Since Word and the Office suite are widely used, an exploit leveraging CVE-2023-21716 can have a significant impact. If exploited successfully, it allows attackers to:
- **Execute Arbitrary Code**: Run any command on the victim's computer, potentially installing malware, extracting data, or even manipulating files.
- **Escalate Privileges**: On certain systems, an attacker could exploit this flaw to gain higher permissions, leading to more comprehensive access to the system.

## Mitigation and Protection
Microsoft addressed CVE-2023-21716 by releasing a security patch that fixes the RTF parsing vulnerability. To protect against potential exploits:
1. **Apply Security Patches**: Microsoft has released updates through its monthly Patch Tuesday update cycle, so ensuring that all Office software is up to date is essential.
2. **Disable RTF in Outlook**: Administrators can disable RTF file handling in Microsoft Outlook as an added precaution.
3. **User Education**: Encouraging users to avoid opening unknown or unsolicited attachments is also a fundamental security practice.

## Afftected versions

This vulnerability affects at least the following versions of Microsoft Office:

* Microsoft Office 365 (Insider Preview - 2211 Build 15831.20122 CTR)
* Microsoft Office 2016 (Including Insider Slow - 1704 Build 8067.2032 CTR)
* Microsoft Office 2013
* Microsoft Office 2010
* Microsoft Office 2007

Older versions may also be affected but were not tested. Furthermore, the technical details of this vulnerability have evolved over the years.


# Usage

```bash
bash embed.sh [executable_to_embed] [target_rtf] 
```

## Example

Embed a bat script `myscript.bat` into a rtf file `example.rtf`: 

```bash
bash embed.sh myscript.bat example.rtf
```

The script is a single one-liner:

```text
calc.exe
```

If the exploit is successful, when `example.rtf` is opened by vulnerable software, `myscript.bat` should be executed, launching `calc.exe`.


# Acknowledgements

Special thanks to FatFrog's team


<pre>
           .--._.--.
          ( O     O )
          /   . .   \
         .`._______.'.
        /(           )\
      _/  \  \   /  /  \_
   .~   `  \  \ /  /  '   ~.
  {    -.   \  V  /   .-    }
_ _`.    \  |  |  |  /    .'_ _
>_       _} |  |  | {_       _<
 /. - ~ ,_-'  .^.  `-_, ~ - .\
         '-'|/   \|`-`
</pre>
文件快照

[4.0K] /data/pocs/55706fbc754333594794e498f42afa806db401e0 ├── [ 499] embed.sh ├── [ 98K] example.rtf ├── [ 7] myscript.bat ├── [ 39K] payload.stack └── [4.1K] README.md 0 directories, 5 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。