# Summary
OS: window 10/11
TARGET: msoffice winword.exe
TYPE: Microsoft Word Remote Code Execution Vulnerability
# Description
- This vulnerability was discovered during the process of parsing the .docx file structure in the WINWORD.EXE program.
- By exploiting this vulnerability, attacker can control the IP register by referencing an arbitrary heap chunk.
# Analysis
- A function allocates and frees a small heap chunk.
- B function allocates a small heap chunk .
- The heap memory used by A function is then reused by B function.
- At this time, the previously used allocated memory is not initialized.
- As a result, an arbitrary address can be called inside A function.
# Exploitablility
- I consider that this vulnerability could be utilized as part of an attack scenario.
- For research purposes, I disabled the DEP protection to demonstrate the feasibility of using an exploit chain gadget and prove its malicious potential.
- Additionally, an extra scenario is needed for a complete ASLR bypass.
- (In this video, ASLR mitigation was circumvented probabilistically)
- Below is the PoC demo recorded on 2024-04-21(@Jmini)
# Reference
'CVE Diary' 카테고리의 다른 글
| CVE-2025-21298 (0) | 2025.03.04 |
|---|---|
| CVE-2023-30738 (0) | 2025.03.04 |
| CVE-2023-27471 (0) | 2025.03.04 |
