Microsoft Word 2016 Memory Corruption Vulnerability Analysis

August 19, 2016

Aug 19 2016

Microsoft Word is prone to a memory corruption vulnerability CVE-2016-3316 (MS16-099). This vulnerability affects Microsoft Word 2016 for Windows and Mac, Microsoft Word 2013 SP1 and Microsoft Word 2013 RT SP1. An attacker could exploit this vulnerability remotely by a certain crafted doc file. A successful attack could cause arbitrary code execution with the privilege of the current running process.

The PoC of this vulnerability is already in the wild:

This vulnerability is caused by the application's inappropriate handling of the sprmSDyaTop property - which indicates the height of the top margin of a document. When the property is set to a value larger than the height of the page, the process will read memory outside the allocated buffer, causing a memory corruption vulnerability.

Details: The file section caused the vulnerability is a "Prl" structure, which defines a modification for the document property. The following figure describes the format of the Prl data structure.

Inside the exploit file, this section starts with 0x9023, followed by the 2-bytes signed integer that specifies the page height. If the value is larger than 0x3DE0, the vulnerability will be triggered. As is shown in the following figure, the exploit file could be detected by searching for the Prl pattern and checking if the sprmSDyaTop value is safe.

The vulnerability is a typical heap memory corruption that starts with a arbitrary address read.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers

  • SPY:1083 "Malformed-file doc.MP.42"