Microsoft Word 2013/2016 – sprmSdyaTop Denial of Service (MS16-099)

• Exploit Database
• 14 阅读

• 作者： COSIG
  日期： 2016-08-16
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/40238/

• #####################################################################################
  
  # Application: Microsoft Office Word
  # Platforms: Windows, OSX
  # Versions: Microsoft Office Word 2013,2016
  # Author: Francis Provencher of COSIG
  # Website: https://cosig.gouv.qc.ca/en/advisory/
  # Twitter: @COSIG_
  # Date: August 09, 2016
  # CVE: CVE-2016-3316
  # COSIG-2016-32
  
  #####################################################################################
  
  1) Introduction
  2) Report Timeline
  3) Technical details
  4) POC
  
  #######################################################################################
  
  ===================
  1) Introduction
  ===================
  
  Microsoft Word is a word processor developed by Microsoft. It was first released on October 25, 1983[3]
  under the name Multi-Tool Word for Xenix systems.[4][5][6] Subsequent versions were later written for several
  other platforms including IBM PCs running DOS (1983), Apple Macintosh running Mac OS (1985), AT&T Unix PC (1985),
  Atari ST (1988), OS/2 (1989), Microsoft Windows (1989) and SCO Unix (1994). Commercial versions of Word are licensed
  as a standalone product or as a component of Microsoft Office, Windows RT or the discontinued Microsoft Works suite.
  Microsoft Word Viewer and Office Online are Freeware editions of Word with limited features.
  
  (https://en.wikipedia.org/wiki/Microsoft_Word)
  
  #######################################################################################
  
  ===================
  2) Report Timeline
  ===================
  
  2016-05-15: Francis Provencher of COSIG report the vulnerability to MSRC.
  2016-06-07: MSRC confirm the vulnerability
  2016-08-09: Microsoft fixed the issue (MS16-099).
  2016-08-09: Advisory released.
  
  #######################################################################################
  
  ===================
  3) Technical details
  ===================
  
  The specific flaw exists within the parsing of invalid operand in “sprmSdyaTop” into a SEPX structure.
  An attacker can use this flaw to read outside the allocated buffer, which could allow for the execution of arbitrary code in the context of the current process.
  #######################################################################################
  
  ==========
  4) POC
  ==========
  
  https://cosig.gouv.qc.ca/wp-content/uploads/2016/08/COSIG-2016-32.doc
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40238.zip
  
  #######################################################################################