Skip to content

Search the site

This critical Microsoft Word RCE exploit requires just a few lines of code: We need more CHERI

POC lands for CVSS 9.8 Word bug CVE-2023-21716

A proof-of-concept for CVE-2023-21716 allows attackers to exploit a critical (CVSS 9.8) vulnerability in Microsoft Word with just three lines of code to potentially gain remote code execution, with victim privileges.

The heap corruption vulnerability was patched by Microsoft as part of its February 2023 Patch Tuesday cycle, but vulnerability finder Joshua Drake said he had actually identified it over 14 years earlier.

The vulnerability affects a whole swathe of products including Microsoft SharePoint Server Subscription Edition, Microsoft Office 2019 and many more. Worryingly for defenders, no user interaction and no privileges are required and even Microsoft’s supposedly secure “preview pane” is a threat vector.

Attackers just need to persuade a target to open or preview a given Word document.

The CVE-2023-21716 POC is not a full-blown exploit demonstration so adoption by threat actors may not be quite as blisteringly fast to adopt it as if it were – and other techniques for phishing-powered intrusions are widely available, but full-blown RCE that requires no interaction via widely used Word will be attractive.

As Bleeping Computer's Ionut Ilascu notes: "Initially, the PoC had a little over a dozen lines... since the report sent to Microsoft in November 2022, the researcher... managed to fit everything in a tweet."

CVE-2023-21716 Python PoC (take 2) open("t3zt.rtf","wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rtlch no crash??}\n}}\n").encode('utf-8'))

(Microsoft’s proposed mitigations via the registry editor for those unable to patch are potentially disruptive if mishandled by admins. Per Microsoft's guidance: “Use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources. Warning: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly.”)

Word vulnerability CVE-2023-21716: Heap corruption, again.

The vulnerability is another reminder of how rife memory safety vulnerabilities remain.

Organisations have increasingly been tackling memory safety bugs by switching to memory-safe languages like Rust (even AWS is rebuilding its backend for S3 storage on Rust) but approaches to tackling such issues via hardware are also increasingly emerging, for example CHERI, which is short for Capability Hardware Enhanced RISC Instruction; a hardware-software co-design joint project between Cambridge University and SRI International (formerly the Stanford Research Institute), supported by Pentagon agency DARPA.

CHERI requires every load or store instruction and every instruction fetch to be authorised by an architectural capability. (As The Stack reported UK companies were invited to learn more and participate in early CHERI experimentation via access to the Arm Morello system-on-a-chip in August 2022 – Morello is a prototype architecture that adapts the hardware concepts of CHERI into the Arm architecture.)

CHERI has brought in some of the tech world's biggest companies to collaborate. Morello was a huge leap forwards for the project. As Arm noted late last year: “Until the start of the pandemic in March 2020, we had Arm engineers working side-by-side with us at the William Gates Building at the University of Cambridge, as well as industrial collaborators from companies such as Google and Microsoft working together to address a long series of hardware, software, and formal methodology challenges in adopting and using the technology...

“During our collaboration, we developed new architectural approaches (e.g., compressed capabilities and CHERI temporal safety), microarchitectural techniques (e.g., tag controllers and caches), new operating system approaches (e.g., memory-safe UNIX process environment), new language and compiler techniques (e.g., memory-safe C compilation and linkage), and formal approaches (including proofs about ISA-based malicious code containment). Each one of these concepts has been utilised in creating the prototype architecture used in Morello, its hardware, and its software stack. You can learn more about these and other aspects of CHERI by reading our Introduction to CHERI technical report" --  The Stack encourages readers to do so.

Meanwhile do the right thing and patch up promptly if you reasonably.

Follow The Stack on LinkedIn