February 2023 Windows Updates brought a fix for CVE-2023-21716, a remote code execution vulnerability in Microsoft Word. The vulnerability was discovered and reported by security researcher Joshua J. Drake (Twitter, Mastodon), and subsequently published with a simple proof-of-concept.
The flaw is in Word's processing of an RTF file with an excessive number of font records, whereby a numeric operation with sign extension results in the code writing to an address outside the intended memory block. With sufficient heap grooming, arbitrary code execution could be possible upon user merely opening a malicious Word document, previewing it in Explorer's Preview Pane, or viewing a malicious email in Outlook. This vulnerability apparently goes back to Office 97.
Microsoft's patch for this issue is not subtle at all: when a sufficiently large number of font records (specifically, more than 32760) is detected in an RTF document, Word just terminates itself. This approach is not new and has reportedly been used before, but may have negative side effects such as lost data (Word crashing while editing an unsaved document) or being unable to use Outlook because it displays the malicious email every time you open it - and crashes.
While still-supported Microsoft Office versions have already received an official vendor fix for this vulnerability, Office 2010 - which we have security-adopted - is also vulnerable. In order to protect our Office 2010 users, we have created our own micropatches for this vulnerability. They are already available through the 0patch service.
Our patches are logically equivalent to Microsoft's patches for this issue.
MODULE_PATH "..\Affected_Modules\wwlib.dll_14.0.7268.5000_Office-2010_64bit\wwlib.dll"
PATCH_ID 1315
PATCH_FORMAT_VER 2
VULN_ID 7683
PLATFORM win64
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x2f3cd6
N_ORIGINALBYTES 5
JUMPOVERBYTES 0
PIT kernel32.dll!TerminateProcess,kernel32.dll!GetCurrentProcess
code_start
lea r9, [rsi+0Ah] ; add 0Ah to the current font table index
lea eax, [r9+8000h] ; add 8000h
cmp eax, 0FFFFh ; check if sign extension would happen
jbe CONTINUE ; if not, continue normal execution
call PIT_GetCurrentProcess ; retrieve a pseudo handle for the current process,
; currently -1, For compatibility with future operating
; systems, it is best to call GetCurrentProcess
; instead of hard-coding this constant value
call PIT_ExploitBlocked ; Exploit Blocked popup
mov rcx, rax ; handle (-1)
mov rdx, 0xbadbaffa ; exit code
call PIT_TerminateProcess ; terminates the specified process and all of its threads
CONTINUE:
code_end
patchlet_end
Micropatch Availability
The micropatch was written for the following security-adopted versions of Office with all available updates installed:
- Microsoft Office 2010
Vulnerabilities like this one get discovered on a regular basis, and
attackers know about them. If you're using Office 2010, or soon-to-be-expired Office 2013 that goes out of support in April this year, 0patch will make sure such vulnerabilities won't be exploited on your computers - and you won't
even have to know or care about updating.
If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.
We'd like to thank Joshua J. Drake (Twitter, Mastodon) for sharing their POC, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.
No comments:
Post a Comment