Proof-of-concept for critical Microsoft Word vulnerability published

by | Mar 7, 2023 | News

poc critical microsoft word vulnerability rce

Post Views: 3,928

Premium Content

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

Proof-of-concept published for critical vulnerability in Microsoft Word

A critical vulnerability in Microsoft Word has recently been discovered, which allows remote code execution. Security researcher Joshua Drake uncovered the issue in Microsoft Office’s “wwlib.dll” and sent a technical advisory with proof-of-concept code to Microsoft last year. CVE-2023-21716 was assigned a 9.8 out of 10 severity score and addressed by Microsoft in the February Patch Tuesday security updates. The vulnerability’s severity is due to the low attack complexity and the lack of privileges and user interaction needed to exploit it.

If a victim opens a malicious .RTF document, a remote attacker could potentially execute code with the same privileges as the victim. The malicious file can be delivered through various methods, including email attachments. Even loading the file in the Preview Pane can be enough for the compromise to start, according to Microsoft. Joshua Drake explained that the RTF parser in Microsoft Word has a heap corruption vulnerability that occurs when dealing with a font table containing an excessive number of fonts. There is additional processing after the memory corruption occurs, and a threat actor could leverage the bug for arbitrary code execution with a properly crafted heap layout.

CVE-2023-21716 Python PoC (take 2) open("t3zt.rtf","wb").write(("{\rtf1{n{\fonttbl" + "".join([ ("{\f%dA;}n" % i) for i in range(0,32761) ]) + "}n{\rtlch no crash??}n}}n").encode('utf-8'))
— Joshua J. Drake (@jduck) March 5, 2023

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

No indication of active exploitation, but threat actors may attempt to reverse engineer fix

At present, there is no evidence of the vulnerability being exploited in the wild, and Microsoft assesses that taking advantage of the issue is “less likely.” However, critical vulnerabilities like this one draw the attention of threat actors, and more advanced ones may attempt to reverse engineer the fix to find a way to exploit it. When exploit code becomes available, a larger pool of attackers starts using the vulnerability since less effort is needed to modify a PoC than to come up with an exploit from scratch.

Workarounds for users unable to apply update come with potential risks

Microsoft’s current workaround solutions for users that cannot apply the fix include reading emails in plain text format or enabling the Microsoft Office File Block policy. However, both methods have their drawbacks, and enabling the policy requires modifying the Windows Registry. In addition, even if a complete exploit is currently unavailable and only theoretical, installing the security update from Microsoft remains the safest way to deal with the vulnerability.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link