Lucene search

K
zdtCOSIG1337DAY-ID-26113
HistoryAug 16, 2016 - 12:00 a.m.

Microsoft Word 2013/2016 - sprmSdyaTop Denial of Service (MS16-099)

2016-08-1600:00:00
COSIG
0day.today
19

0.608 Medium

EPSS

Percentile

97.5%

Exploit for windows platform in category dos / poc

#####################################################################################
 
# Application: Microsoft Office Word
# Platforms: Windows, OSX
# Versions: Microsoft Office Word 2013,2016
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: August 09, 2016
# CVE: CVE-2016-3316
# COSIG-2016-32
 
#####################################################################################
 
1) Introduction
2) Report Timeline
3) Technical details
4) POC
 
#######################################################################################
 
===================
1) Introduction
===================
 
Microsoft Word is a word processor developed by Microsoft. It was first released on October 25, 1983[3]
under the name Multi-Tool Word for Xenix systems.[4][5][6] Subsequent versions were later written for several
other platforms including IBM PCs running DOS (1983), Apple Macintosh running Mac OS (1985), AT&T Unix PC (1985),
Atari ST (1988), OS/2 (1989), Microsoft Windows (1989) and SCO Unix (1994). Commercial versions of Word are licensed
as a standalone product or as a component of Microsoft Office, Windows RT or the discontinued Microsoft Works suite.
Microsoft Word Viewer and Office Online are Freeware editions of Word with limited features.
 
(https://en.wikipedia.org/wiki/Microsoft_Word)
 
#######################################################################################
 
===================
2) Report Timeline
===================
 
2016-05-15: Francis Provencher of COSIG report the vulnerability to MSRC.
2016-06-07: MSRC confirm the vulnerability
2016-08-09: Microsoft fixed the issue (MS16-099).
2016-08-09: Advisory released.
 
#######################################################################################
 
===================
3) Technical details
===================
 
The specific flaw exists within the parsing of invalid operand in β€œsprmSdyaTop” into a SEPX structure.
An attacker can use this flaw to read outside the allocated buffer, which could allow for the execution of arbitrary code in the context of the current process.
#######################################################################################
 
==========
4) POC
==========
 
https://cosig.gouv.qc.ca/wp-content/uploads/2016/08/COSIG-2016-32.doc
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40238.zip
 
#######################################################################################

#  0day.today [2017-12-31]  #