PoC for Microsoft Word RCE (CVE-2023-21716) Published
The Poc released by a security researcher for a patched security vulnerability (CVE-2023-21716) in Microsoft Word could put millions of users at risk.
The vulnerability, with a CVSS score of 9.8, allows a remote attacker to execute arbitrary code on a victim’s system. This means that an attacker could gain complete control over a victim’s computer by exploiting this vulnerability. The vulnerability exists within Microsoft Office’s wwlib.dll, which means that all versions of Microsoft Office could be affected.
Today, a technical analysis of the CVE-2023-21716 bug was published and a PoC exploit has now been released. The attack vector for this vulnerability is an unauthenticated attacker sending a malicious email containing an RTF payload. When the victim opens the malicious file, the attacker gains access to execute commands within the application used to open the file. This could lead to the installation of malware, theft of sensitive data, or other malicious activities.
The vulnerability is caused by a heap corruption vulnerability that is triggered “when dealing with a font table (*\fonttbl*) containing an excessive number of fonts (*\f###*)” in the RTF parser of Microsoft Word. The vulnerability occurs when dealing with a font table containing an excessive number of fonts. This allows an attacker to exploit the vulnerability and execute arbitrary code on the victim’s system.
“Microsoft Office 2010 and later use Protected View to limit damage caused by malicious documents procured from untrusted sources. Protected View is in effect when this vulnerability manifests and thus an additional sandbox escape vulnerability would be required to gain full privileges,” Drake wrote.
It is important to note that removing the file association for the RTF extension is ineffective in mitigating this vulnerability. Using a DOC extension will still reach the vulnerable code.
This vulnerability was discovered, analyzed, and reported by Joshua J. Drake (@jduck). To protect against this vulnerability, it is recommended that users update to the latest version of Microsoft Office as soon as possible. Additionally, users should exercise caution when opening emails from unknown or suspicious sources.