Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-21716 PoC — Microsoft Word Remote Code Execution Vulnerability

Source
https://github.com/RonF98/CVE-2023-21716-POC
Associated Vulnerability
Title:Microsoft Word Remote Code Execution Vulnerability (CVE-2023-21716)
Description:Microsoft Word Remote Code Execution Vulnerability
Description
Proof Of Concept for CVE-2023-21716 Microsoft Word Heap Corruption
Readme
# Content Table
1. [RTF-creator - Download python script to create the .rtf file](RTF-creator.py)
2. [malicious.rtf - Example of a generated file](malicious.rtf)
3. [POC - Steps and debugging with WinDbg](POC.md)

# Background
In February 2023, Microsoft patched a critical vulnerability in Microsoft Word, identified as CVE-2023-21716 with a CVSS score of 9.8, which could allow attackers to execute remote code without authentication. 
This vulnerability also affected the Outlook Preview Pane, meaning it can be triggered by only previewing the file. While Microsoft released a patch and a workaround, they did not disclose details about the issue. 
On March 6, the researcher who discovered the bug (Joshua J.Drake - @jduck) shared a proof of concept (PoC) on Twitter.

# How It Happens
CVE-2023-21716 stems from how Microsoft Word handles **Rich Text Format (RTF)** files, particularly the **\fonttbl** control word, 
which defines fonts in the document using the **\f<num> format**. The **\fonttbl** inside the **wwlib.dll**, is allocated a certain amount of space inside the Heap (This is because heap allocations are typically used for dynamic data, such as parsing large structures like a font table, where the size may vary depending on the input). The crash occurs due to a buffer overflow when the number of fonts exceeds the limit (proven by the POC to be 32760). Overrunning the allocated heap space leads to overwriting the Return Instruction Pointer (RIP), which causes the application to crash.
 
# Affected Versions
Microsoft Office 2019

Microsoft Office Online Server

Microsoft Office LTSC 2021

Microsoft Office LTSC for Mac 2021

Microsoft Word 2013 Service Pack 1

Microsoft Word 2013 RT Service Pack 1

Microsoft Word 2016

Microsoft SharePoint Server 2019

Microsoft SharePoint Enterprise Server 2013 Service Pack 1

Microsoft SharePoint Enterprise Server 2016

Microsoft SharePoint Foundation 2013 Service Pack 1

Microsoft SharePoint Server Subscription Edition Language Pack

Microsoft SharePoint Server Subscription Edition

Microsoft Office Web Apps Server 2013 Service Pack 1

Microsoft 365 Apps for Enterprise

# Remediation 
Users are strongly encouraged to install the latest security patches from Microsoft, as they have resolved this issue. 
For those unable to upgrade, Microsoft has also provided several workarounds, which can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716.
File Snapshot

 [4.0K]  /data/pocs/a860d76e4958cf78d7b40a5261944551336dac63
├── [373K]  malicious.rtf
├── [5.8K]  POC.md
├── [2.4K]  README.md
└── [ 512]  RTF-creator.py

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →