Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Code Execution (MS16-099)

🗓️ 10 Aug 2016 00:00:00Reported by COSIGType

Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Code Executio

Reporter	Title	Published	Views	Family All 23
0day.today	Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Remote Code Execution (MS16-099)	10 Aug 201600:00	–	zdt
Circl	CVE-2016-3313	10 Aug 201600:00	–	circl
CNVD	Microsoft Office Memory Corruption Vulnerability (CNVD-2016-06268)	10 Aug 201600:00	–	cnvd
Check Point Advisories	Microsoft Office Memory Corruption (MS16-099: CVE-2016-3313)	9 Aug 201600:00	–	checkpoint_advisories
CVE	CVE-2016-3313	9 Aug 201621:00	–	cve
Cvelist	CVE-2016-3313	9 Aug 201621:00	–	cvelist
exploitpack	Microsoft Word 2007201020132016 - Out-of-Bounds Read Code Execution (MS16-099)	10 Aug 201600:00	–	exploitpack
Microsoft KB	MS16-099: Description of the security update for Office 2010: August 9, 2016	9 Aug 201607:00	–	mskb
Microsoft KB	Security update 2016-08-09	9 Aug 201607:00	–	mskb
Microsoft KB	MS16-099: Description of the security update for Office 2016: August 9, 2016	9 Aug 201607:00	–	mskb

#####################################################################################

# Application: Microsoft Office Word
# Platforms: Windows, OSX
# Versions: Microsoft Office Word 2007,2010,2013,2016
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @SebMorin1, @COSIG_
# Date: August 09, 2016
# CVE: CVE-2016-3313
# COSIG-2016-31

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#######################################################################################

===================
1) Introduction
===================

Microsoft Word is a word processor developed by Microsoft. It was first released on October 25, 1983[3] under the name Multi-Tool Word for Xenix systems.[4][5][6] Subsequent versions were later written for several other platforms including IBM PCs running DOS (1983), Apple Macintosh running Mac OS (1985), AT&T Unix PC (1985), Atari ST (1988), OS/2 (1989), Microsoft Windows (1989) and SCO Unix (1994). Commercial versions of Word are licensed as a standalone product or as a component of Microsoft Office, Windows RT or the discontinued Microsoft Works suite. Microsoft Word Viewer and Office Online are Freeware editions of Word with limited features.

(https://en.wikipedia.org/wiki/Microsoft_Word)

#######################################################################################

===================
2) Report Timeline
===================

2016-05-15: Sébastien Morin of COSIG report the vulnerability to MSRC.
2016-06-07: MSRC confirm the vulnerability
2016-08-09: Microsoft fixed the issue (MS16-099).
2016-08-09: Advisory released.

#######################################################################################

===================
3) Technical details
===================

This vulnerability allow remote code execution if a user opens a specially crafted Microsoft Office Word (.doc) with an invalid WordDocumentStream.
An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.

#######################################################################################

==========
4) POC
==========

https://smsecurity.net/wp-content/uploads/2016/08/COSIG-2016-31.doc
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40224.zip

#######################################################################################

10 Aug 2016 00:00Current

7.8High risk

Vulners AI Score7.8

CVSS 37.8

CVSS 29.3

EPSS0.50266