POC released for critical Microsoft Word bug
Security researcher Joshua Drake has found an exploit in Microsoft Word and published a proof-of-concept for the serious flaw, known as CVE-2023-21716. A remote attacker can take advantage of the flaw to execute any code they want on a computer running the vulnerable software.
The problem is easily exploitable, and user input is the sole requirement. With the release of the February Patch Tuesday security patches, Microsoft fixed the issue. The flaw, which may be found in Microsoft Office’s “wwlib.dll” library, was found by Joshua Drake in November.
“An unauthenticated attacker could send a malicious e-mail containing an RTF payload that would allow them to gain access to execute commands within the application used to open the malicious file.” reads the issued advisory by Microsoft
Another way to exploit the flaw is to simply open a specially created RTF document in the Preview Pane. Drake identified a heap corruption flaw in Microsoft Word’s RTF parser that can be exploited by a font table (*fonttbl*) containing a lot of fonts (*f###*).
“Following this memory corruption, additional processing takes place. With a properly crafted heap layout, an attacker cause the heap corruption to yield arbitrary code execution. Using the proof-of-concept code supplied below, processing eventually reaches the post-processing clean up code.” reads the technical post published by the researchers. The researchers released a proof-of-concept code that exploited the flaw to start the Windows Calculator app.
It is advised that you use the Microsoft Office File Block policy to stop Office from opening RTF files from unauthorized or suspect sources.
Source
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716
- https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/