Microsoft Word 2016 Memory Corruption Vulnerability Analysis (CVE-2016-3316)

By

Aug 19 2016

Microsoft Word is prone to a memory corruption vulnerability CVE-2016-3316 (MS16-099). This vulnerability affects Microsoft Word 2016 for Windows and Mac, Microsoft Word 2013 SP1 and Microsoft Word 2013 RT SP1. An attacker could exploit this vulnerability remotely by a certain crafted doc file. A successful attack could cause arbitrary code execution with the privilege of the current running process.

The PoC of this vulnerability is already in the wild: https://www.exploit-db.com/exploits/40238/

This vulnerability is caused by the application’s inappropriate handling of the sprmSDyaTop property – which indicates the height of the top margin of a document. When the property is set to a value larger than the height of the page, the process will read memory outside the allocated buffer, causing a memory corruption vulnerability.

Details: The file section caused the vulnerability is a “Prl” structure, which defines a modification for the document property. The following figure describes the format of the Prl data structure.

Inside the exploit file, this section starts with 0x9023, followed by the 2-bytes signed integer that specifies the page height. If the value is larger than 0x3DE0, the vulnerability will be triggered. As is shown in the following figure, the exploit file could be detected by searching for the Prl pattern and checking if the sprmSDyaTop value is safe.

The vulnerability is a typical heap memory corruption that starts with a arbitrary address read.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers

  • SPY:1083 “Malformed-file doc.MP.42”

Reference:

  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3316
  • https://technet.microsoft.com/library/security/MS16-099
  • https://www.exploit-db.com/exploits/40238/
  • https://msdn.microsoft.com/en-us/library/dd923541(v=office.12).aspx
  • https://msdn.microsoft.com/en-us/library/dd920359(v=office.12).aspx
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.