Skip to content
cyberexploits
dosmultipletext

Microsoft Word 2013/2016 - sprmSdyaTop Denial of Service (MS16-099)

Microsoft Word 2013/2016 - sprmSdyaTop Denial of Service (MS16-099)

Published on 2016-08-16

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/multiple/dos/40238.txt7eac4c3a
raw
#####################################################################################



# Application: Microsoft Office Word

# Platforms: Windows, OSX

# Versions: Microsoft Office Word 2013,2016

# Author: Francis Provencher of COSIG

# Website: https://cosig.gouv.qc.ca/en/advisory/

# Twitter: @COSIG_

# Date: August 09, 2016

# CVE: CVE-2016-3316

# COSIG-2016-32



#####################################################################################



1) Introduction

2) Report Timeline

3) Technical details

4) POC



#######################################################################################



===================

1) Introduction

===================



Microsoft Word is a word processor developed by Microsoft. It was first released on October 25, 1983[3]

under the name Multi-Tool Word for Xenix systems.[4][5][6] Subsequent versions were later written for several

other platforms including IBM PCs running DOS (1983), Apple Macintosh running Mac OS (1985), AT&T Unix PC (1985),

Atari ST (1988), OS/2 (1989), Microsoft Windows (1989) and SCO Unix (1994). Commercial versions of Word are licensed

as a standalone product or as a component of Microsoft Office, Windows RT or the discontinued Microsoft Works suite.

Microsoft Word Viewer and Office Online are Freeware editions of Word with limited features.



(https://en.wikipedia.org/wiki/Microsoft_Word)



#######################################################################################



===================

2) Report Timeline

===================



2016-05-15: Francis Provencher of COSIG report the vulnerability to MSRC.

2016-06-07: MSRC confirm the vulnerability

2016-08-09: Microsoft fixed the issue (MS16-099).

2016-08-09: Advisory released.



#######################################################################################



===================

3) Technical details

===================



The specific flaw exists within the parsing of invalid operand in “sprmSdyaTop” into a SEPX structure.

An attacker can use this flaw to read outside the allocated buffer, which could allow for the execution of arbitrary code in the context of the current process.

#######################################################################################



==========

4) POC

==========



https://cosig.gouv.qc.ca/wp-content/uploads/2016/08/COSIG-2016-32.doc

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40238.zip



#######################################################################################
View on GitHub