Lucene search
COSIG1337DAY-ID-25632HistoryAug 10, 2016 - 12:00 a.m.
Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Remote Code Execution (MS16-099)
2016-08-1000:00:00
COSIG
0day.today
38
EPSS
0.608
Percentile
97.9%
Exploit for windows platform in category local exploits
#####################################################################################
# Application: Microsoft Office Word
# Platforms: Windows, OSX
# Versions: Microsoft Office Word 2007,2010,2013,2016
# Author: SΓ©bastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @SebMorin1, @COSIG_
# Date: August 09, 2016
# CVE: CVE-2016-3313
# COSIG-2016-31
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#######################################################################################
===================
1) Introduction
===================
Microsoft Word is a word processor developed by Microsoft. It was first released on October 25, 1983[3] under the name Multi-Tool Word for Xenix systems.[4][5][6] Subsequent versions were later written for several other platforms including IBM PCs running DOS (1983), Apple Macintosh running Mac OS (1985), AT&T Unix PC (1985), Atari ST (1988), OS/2 (1989), Microsoft Windows (1989) and SCO Unix (1994). Commercial versions of Word are licensed as a standalone product or as a component of Microsoft Office, Windows RT or the discontinued Microsoft Works suite. Microsoft Word Viewer and Office Online are Freeware editions of Word with limited features.
(https://en.wikipedia.org/wiki/Microsoft_Word)
#######################################################################################
===================
2) Report Timeline
===================
2016-05-15: SΓ©bastien Morin of COSIG report the vulnerability to MSRC.
2016-06-07: MSRC confirm the vulnerability
2016-08-09: Microsoft fixed the issue (MS16-099).
2016-08-09: Advisory released.
#######################################################################################
===================
3) Technical details
===================
This vulnerability allow remote code execution if a user opens a specially crafted Microsoft Office Word (.doc) with an invalid WordDocumentStream.
An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.
#######################################################################################
==========
4) POC
==========
https://smsecurity.net/wp-content/uploads/2016/08/COSIG-2016-31.doc
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40224.zip
#######################################################################################
# 0day.today [2018-04-04] #Related
symantec
symantec
Microsoft Office CVE-2016-3313 Memory Corruption Vulnerability
2016-08-09 00:00:00
mskb
mskb
MS16-099: Description of the security update for Office 2010: August 9, 2016
2016-08-09 07:00:00
MS16-099: Description of the security update for Office 2013: August 9, 2016
2016-08-09 07:00:00
MS16-099: Description of the security update for Office 2016: August 9, 2016
2016-08-09 07:00:00
nvd
nvd
CVE-2016-3313
2016-08-09 21:59:20
cvelist
cvelist
CVE-2016-3313
2016-08-09 21:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Office Memory Corruption (MS16-099: CVE-2016-3313)
2016-08-09 00:00:00
cve
cve
CVE-2016-3313
2016-08-09 21:59:20
mscve
mscve
Microsoft Office Memory Corruption Vulnerability
2016-08-09 07:00:00
exploitpack
exploitpack
exploitdb
exploitdb
prion
prion
Memory corruption
2016-08-09 21:59:00
openvas
openvas
Microsoft Office Word Viewer Multiple RCE Vulnerabilities (3177451)
2016-08-10 00:00:00
Microsoft Office Suite Remote Code Execution Vulnerabilities (3177451)
2016-08-10 00:00:00
Microsoft Office Multiple Vulnerabilities (3177451) - Mac OS X
2016-08-23 00:00:00
nessus
nessus
MS16-099: Security Update for Microsoft Office (3177451)
2016-08-10 00:00:00
kaspersky
kaspersky
KLA10857 Multiple vulnerabilities in Microsoft Office
2016-08-09 00:00:00