关联漏洞
标题:
Microsoft Word 安全漏洞
(CVE-2023-21716)
描述:Microsoft Word是美国微软(Microsoft)公司的一套Office套件中的文字处理软件。 Microsoft Office Word存在安全漏洞。以下产品和版本受到影响:Microsoft Office Online Server,Microsoft Office 2019 for Mac,Microsoft 365 Apps for Enterprise for 64-bit Systems,Microsoft SharePoint Enterprise Server 2016,Micr
描述
Proof Of Concept for CVE-2023-21716 Microsoft Word Heap Corruption
介绍
# Content Table
1. [RTF-creator - Download python script to create the .rtf file](RTF-creator.py)
2. [malicious.rtf - Example of a generated file](malicious.rtf)
3. [POC - Steps and debugging with WinDbg](POC.md)
# Background
In February 2023, Microsoft patched a critical vulnerability in Microsoft Word, identified as CVE-2023-21716 with a CVSS score of 9.8, which could allow attackers to execute remote code without authentication.
This vulnerability also affected the Outlook Preview Pane, meaning it can be triggered by only previewing the file. While Microsoft released a patch and a workaround, they did not disclose details about the issue.
On March 6, the researcher who discovered the bug (Joshua J.Drake - @jduck) shared a proof of concept (PoC) on Twitter.
# How It Happens
CVE-2023-21716 stems from how Microsoft Word handles **Rich Text Format (RTF)** files, particularly the **\fonttbl** control word,
which defines fonts in the document using the **\f<num> format**. The **\fonttbl** inside the **wwlib.dll**, is allocated a certain amount of space inside the Heap (This is because heap allocations are typically used for dynamic data, such as parsing large structures like a font table, where the size may vary depending on the input). The crash occurs due to a buffer overflow when the number of fonts exceeds the limit (proven by the POC to be 32760). Overrunning the allocated heap space leads to overwriting the Return Instruction Pointer (RIP), which causes the application to crash.
# Affected Versions
Microsoft Office 2019
Microsoft Office Online Server
Microsoft Office LTSC 2021
Microsoft Office LTSC for Mac 2021
Microsoft Word 2013 Service Pack 1
Microsoft Word 2013 RT Service Pack 1
Microsoft Word 2016
Microsoft SharePoint Server 2019
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server Subscription Edition Language Pack
Microsoft SharePoint Server Subscription Edition
Microsoft Office Web Apps Server 2013 Service Pack 1
Microsoft 365 Apps for Enterprise
# Remediation
Users are strongly encouraged to install the latest security patches from Microsoft, as they have resolved this issue.
For those unable to upgrade, Microsoft has also provided several workarounds, which can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716.
文件快照
[4.0K] /data/pocs/a860d76e4958cf78d7b40a5261944551336dac63
├── [373K] malicious.rtf
├── [5.8K] POC.md
├── [2.4K] README.md
└── [ 512] RTF-creator.py
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。