来源

关联漏洞

描述

POC CVE 2023-21716

介绍

# About

CVE-2023-21716 is a critical vulnerability in Microsoft Word, specifically affecting the RTF (Rich Text Format) parsing functionality, which allows for remote code execution (RCE). Here’s a breakdown of what this vulnerability entails and why it’s significant:

## Summary of CVE-2023-21716
- **Vulnerability Type**: Remote Code Execution (RCE)
- **Affected Software**: Microsoft Word (part of Microsoft Office suite)
- **Impact**: Successful exploitation can allow an attacker to run arbitrary code on a victim’s system, potentially taking control of it.
- **Severity**: High, with a CVSS score of 9.8, indicating the vulnerability can be exploited remotely with little user interaction.

## How CVE-2023-21716 Works
The issue arises from a flaw in how Microsoft Word handles RTF files, which are commonly used for text documents. RTF documents can contain various formatting instructions, and this vulnerability specifically involves an incorrect handling of certain elements or code embedded in the document.

1. **Malformed RTF Parsing**: An attacker can craft a specially formatted RTF file that, when parsed by Microsoft Word, triggers a memory corruption error. This could allow the attacker to control program flow and execute arbitrary code.
  
2. **Remote Execution Vector**: Attackers can exploit this flaw by convincing a user to open a malicious RTF file. This can be done through email attachments, direct file sharing, or even by embedding the RTF file in a web page.

3. **Exploitation and User Interaction**: One of the critical aspects of this vulnerability is that it requires minimal user interaction. In some cases, simply previewing the malicious document in certain versions of Microsoft Outlook can trigger the exploit, as Outlook uses Word for previewing RTF files.

## Potential Impact
Since Word and the Office suite are widely used, an exploit leveraging CVE-2023-21716 can have a significant impact. If exploited successfully, it allows attackers to:
- **Execute Arbitrary Code**: Run any command on the victim's computer, potentially installing malware, extracting data, or even manipulating files.
- **Escalate Privileges**: On certain systems, an attacker could exploit this flaw to gain higher permissions, leading to more comprehensive access to the system.

## Mitigation and Protection
Microsoft addressed CVE-2023-21716 by releasing a security patch that fixes the RTF parsing vulnerability. To protect against potential exploits:
1. **Apply Security Patches**: Microsoft has released updates through its monthly Patch Tuesday update cycle, so ensuring that all Office software is up to date is essential.
2. **Disable RTF in Outlook**: Administrators can disable RTF file handling in Microsoft Outlook as an added precaution.
3. **User Education**: Encouraging users to avoid opening unknown or unsolicited attachments is also a fundamental security practice.

## Afftected versions

This vulnerability affects at least the following versions of Microsoft Office:

* Microsoft Office 365 (Insider Preview - 2211 Build 15831.20122 CTR)
* Microsoft Office 2016 (Including Insider Slow - 1704 Build 8067.2032 CTR)
* Microsoft Office 2013
* Microsoft Office 2010
* Microsoft Office 2007

Older versions may also be affected but were not tested. Furthermore, the technical details of this vulnerability have evolved over the years.


# Usage

```bash
bash embed.sh [executable_to_embed] [target_rtf] 
```

## Example

Embed a bat script `myscript.bat` into a rtf file `example.rtf`: 

```bash
bash embed.sh myscript.bat example.rtf
```

The script is a single one-liner:

```text
calc.exe
```

If the exploit is successful, when `example.rtf` is opened by vulnerable software, `myscript.bat` should be executed, launching `calc.exe`.


# Acknowledgements

Special thanks to FatFrog's team


<pre>
           .--._.--.
          ( O     O )
          /   . .   \
         .`._______.'.
        /(           )\
      _/  \  \   /  /  \_
   .~   `  \  \ /  /  '   ~.
  {    -.   \  V  /   .-    }
_ _`.    \  |  |  |  /    .'_ _
>_       _} |  |  | {_       _<
 /. - ~ ,_-'  .^.  `-_, ~ - .\
         '-'|/   \|`-`
</pre>

文件快照

 [4.0K]  /data/pocs/55706fbc754333594794e498f42afa806db401e0
├── [ 499]  embed.sh
├── [ 98K]  example.rtf
├── [   7]  myscript.bat
├── [ 39K]  payload.stack
└── [4.1K]  README.md

0 directories, 5 files

备注