来源

关联漏洞

描述

Proof Of Concept for CVE-2023-21716 Microsoft Word Heap Corruption

介绍

# Content Table
1. [RTF-creator - Download python script to create the .rtf file](RTF-creator.py)
2. [malicious.rtf - Example of a generated file](malicious.rtf)
3. [POC - Steps and debugging with WinDbg](POC.md)

# Background
In February 2023, Microsoft patched a critical vulnerability in Microsoft Word, identified as CVE-2023-21716 with a CVSS score of 9.8, which could allow attackers to execute remote code without authentication. 
This vulnerability also affected the Outlook Preview Pane, meaning it can be triggered by only previewing the file. While Microsoft released a patch and a workaround, they did not disclose details about the issue. 
On March 6, the researcher who discovered the bug (Joshua J.Drake - @jduck) shared a proof of concept (PoC) on Twitter.

# How It Happens
CVE-2023-21716 stems from how Microsoft Word handles **Rich Text Format (RTF)** files, particularly the **\fonttbl** control word, 
which defines fonts in the document using the **\f<num> format**. The **\fonttbl** inside the **wwlib.dll**, is allocated a certain amount of space inside the Heap (This is because heap allocations are typically used for dynamic data, such as parsing large structures like a font table, where the size may vary depending on the input). The crash occurs due to a buffer overflow when the number of fonts exceeds the limit (proven by the POC to be 32760). Overrunning the allocated heap space leads to overwriting the Return Instruction Pointer (RIP), which causes the application to crash.
 
# Affected Versions
Microsoft Office 2019

Microsoft Office Online Server

Microsoft Office LTSC 2021

Microsoft Office LTSC for Mac 2021

Microsoft Word 2013 Service Pack 1

Microsoft Word 2013 RT Service Pack 1

Microsoft Word 2016

Microsoft SharePoint Server 2019

Microsoft SharePoint Enterprise Server 2013 Service Pack 1

Microsoft SharePoint Enterprise Server 2016

Microsoft SharePoint Foundation 2013 Service Pack 1

Microsoft SharePoint Server Subscription Edition Language Pack

Microsoft SharePoint Server Subscription Edition

Microsoft Office Web Apps Server 2013 Service Pack 1

Microsoft 365 Apps for Enterprise

# Remediation 
Users are strongly encouraged to install the latest security patches from Microsoft, as they have resolved this issue. 
For those unable to upgrade, Microsoft has also provided several workarounds, which can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716.

文件快照

 [4.0K]  /data/pocs/a860d76e4958cf78d7b40a5261944551336dac63
├── [373K]  malicious.rtf
├── [5.8K]  POC.md
├── [2.4K]  README.md
└── [ 512]  RTF-creator.py

0 directories, 4 files

备注