Security research

Why this 14-year-old heap corruption vulnerability in MS Word is still relevant

Publisher
Pentest-Tools.com
Updated at

Microsoft patched 75 security flaws in a variety of Microsoft products in their February 2023 patch Tuesday release, three of which were Zero-Day flaws.

A critical vulnerability with Remote Code Execution (RCE) potential in Microsoft Word (CVE-2023-21716) with a CVSS score of 9.8 was among the Zero-Day vulnerabilities that were fixed. APT groups already have been using this type of vulnerability to steal sensitive information. 

As an example, we got CVE-2017-0199. This vulnerability allowed attackers to remotely execute code in MS Word via an especially crafted document. It was exploited by several APT groups and ransomware actors, including the infamous Dridex banking Trojan and Locky ransomware.

As a security researcher, getting a CVE from Microsoft is something BIG, even after years of experience. Joshua J. Drake from NSFOCUS, achieved this when he got Remote Code Execution through Microsoft Word’s RTF parser for CVE-2023-21716.

Let’s unpack it and see what makes it interesting and worthy of your ethical hacking skills.

About CVE-2023-21716

How this heap corruption vulnerability occurs in the RTF parser of Microsoft Word is one of the most asked questions, which is totally understandable. 

Attackers can achieve remote code execution with the privileges of the victim who opens a malicious RTF document because of a vulnerability within Microsoft Office's wwlib. The attacker could deliver this file as an email attachment (or other means).

First of all, what is RTF? 

The RTF file type, which stands for Rich Text Format, is used to exchange text files between various word processors and operating systems. The RTF parser in Microsoft Word is in charge of deciphering RTF file contents and displaying them on the screen.

The RTF parser examines the RTF file's structure and transforms it into a format that Microsoft Word can display. This covers additional types of content, including tables, photos, and hyperlinks, as well as formatting details like font styles, sizes, colors, and paragraph alignment.

 When abused, the flaw allows a remote attacker to run code with the same rights as the victim when the victim opens a malicious RTF document. Sending the malicious file to a victim can be as straightforward as attaching it to an email, although there are also plenty of alternative techniques.

Does RTF = Heap corruption?

When working with font tables, the RTF parser loads the font ID value (f####) and fills the upper bits of EDX with it. If a font table (fonttbl) contains an abnormally high font ID value, the RTF parser corrupts the heap and causes a negative offset in the memory saved in ESI. As a result of this heap corruption, the attacker can execute any command using the victim's privileges.

For example:

open("malicious.rtf","wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rtlch No Crash}\n}}\n").encode('utf-8'))

Why CVE-2023-21716 is the newest and oldest vulnerability at the same time

Why do we say this?

Because Joshua J. Drake announced on Mastodon that he found this vulnerability 14 years ago! Shockingly, we know that this vulnerability has been “alive” for more than a decade.

We can assume ransom operators or APT groups have secretly been using this for all these years  Who knows what big news will come out in the next months.

Microsoft Word is one of the most popular tools in the world, so the vector increases significantly.

Affected products 

This RCE vulnerability affects the following Office products and other software connected to this suite:

  • Microsoft 365 Apps for Enterprise - 32-bit and 64-bit systems

  • Microsoft Office 2019 - 32-bit and 64-bit editions

  • Microsoft Office 2019 for Mac

  • Microsoft Office LTSC 2021 - 32-bit and 64-bit editions

  • Microsoft Office LTSC for Mac 2021

  • Microsoft Office Online Server

  • Microsoft Office Web Apps Server 2013 Service Pack 1

  • Microsoft SharePoint Enterprise Server 2013 Service Pack 1

  • Microsoft SharePoint Enterprise Server 2016

  • Microsoft SharePoint Foundation 2013 Service Pack 1

  • Microsoft SharePoint Server 2019

  • Microsoft SharePoint Server Subscription Edition

  • Microsoft Word 2013 RT Service Pack 1

  • Microsoft Word 2013 Service Pack 1 (32-bit and 64-bit editions)

  • Microsoft Word 2016 (32-bit and 64-bit editions)

  • SharePoint Server Subscription Edition Language Pack

Older versions may also be affected by this Microsoft Word remote code execution vulnerability, but they were not tested at the time of writing this article. 

The PoC - explained

The one-line PoC from Twitter that the community made popular is this line of code which you can probably learn in a few days - if you set your mind to it.

Joshua Drake tweetThe above code, written by the researcher who found CVE-2023-21716, creates and writes binary data to a file called t3zt.rtf The RTF (Rich Text Format) document's string representation is encoded using the UTF-8 encoding to produce the binary data.

The RTF document creates the font table using a loop that generates entries for 32,761 fonts. Each entry in the font table starts with the letter "f," followed by a number, and ends with ";.

The loop produces entries for typefaces with a number from 0 to 32760. The RTF document includes a string that reads "rtlch no crash??" after the font table. 

Joshua explained better how this vulnerability works in his paper.

Mitigation and remediation for CVE-2023-21716 

The most secure method of resolving the issue is still to apply Microsoft's security fixes. There are workarounds available, like reading emails in plain text or activating the Microsoft Office File Block policy, but they’re highly inconvenient (e.g. lack of images and rich content).

If patching the vulnerable versions of Microsoft Office and other MS products isn’t possible, you can apply the following tips to limit the exposure to CVE-2023-21716:

Even though a thorough exploit is still not accessible and remains theoretical, the safest way to handle the problem is to install the security update from Microsoft.

Wrapping up

Threat actors pay constant attention to critical vulnerabilities like this one. The more sophisticated ones jump at the opportunity to create complex attack scenarios with it.

Since it takes less work to alter a PoC than it does to create an exploit from scratch, a bigger pool of attackers usually starts leveraging the vulnerability once the exploit code becomes accessible.

Given the current proof of concept from Joshua J. Drake just suggests that exploitation is possible without demonstrating it, it is uncertain whether bad actors can turn it into a full-fledged exploit.

Still, there’s still a reason for cybersecurity specialists to keep an eye on this remote code execution vulnerability in Microsoft Word because cybercriminals are likely to try to use it for extensive malware distribution over email.

Get vulnerability research & write-ups

In your inbox. (No fluff. Actionable stuff only.)

Related articles

Footer

© 2013-2024 Pentest-Tools.com

Pentest-Tools.com has a LinkedIn account it's very active on

Join over 45,000 security specialists to discuss career challenges, get pentesting guides and tips, and learn from your peers. Follow us on LinkedIn!

Pentest-Tools.com has a YouTube account where you can find tutorials and useful videos

Expert pentesters share their best tips on our Youtube channel. Subscribe to get practical penetration testing tutorials and demos to build your own PoCs!

G2 award badge

Pentest-Tools.com recognized as a Leader in G2’s Spring 2023 Grid® Report for Penetration Testing Software. Discover why security and IT pros worldwide use the platform to streamline their penetration and security testing workflow.

OWASP logo

Pentest-Tools.com is a Corporate Member of OWASP (The Open Web Application Security Project). We share their mission to use, strengthen, and advocate for secure coding standards into every piece of software we develop.