Mastodawn

ElizabethNoir Mar 7, 2023

Keep an eye on CVE-2023-21716 aka MS Word vulnerability from February 2023 in RTF files.

There's a public proof of concept: https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md

Where it gets more interesting - you can embed RTF files in email, Microsoft Outlook renders them with no clicks, by just reading the email. There's a decent chance this could become problematic combination.. although not yet as the PoC is vague enough to require a clue to exploit. HT @fellows

Kevin Beaumont Mar 6, 2023

Good luck anybody enabling this mitigation in a corporate environment, lmao.

Kevin Beaumont Mar 7, 2023

I've been keeping an eye on #CVE202321716 (the MS Word RTF vuln) via #GossiMonitoring

The headline is, people are starting to experiment with it.

Kevin Beaumont Mar 8, 2023

Interestingly, the way to embed RTF into email so it directly renders in Outlook appears to be undocumented online.

Either my Google-fu is bad or nobody has actually documented it - you can still do it and Exchange Server still passes it inbound, they only filtered outbound.

I’m not documenting it btw.

Kevin Beaumont Apr 18, 2023

Haven't seen any working exploitation of #CVE202321716 at all - all just people reusing the crash POC, nobody made it to RCE.

Kevin Beaumont Jul 5, 2023

Four months later on CVE-2023-21716 - I still haven't seen a single in the wild document that reaches RCE for this, nor an RCE exploit.

Jimmy Jim Jul 5, 2023

@GossiTheDog Wow that’s pretty informative, thanks!

Thomas Griffiths Jul 5, 2023

@GossiTheDog the perfect example of why CVSS should not be relied on for quantifying risk

DuncanWatson Mar 8, 2023

@GossiTheDog I used to do this when I used emacs as my email client and controlled my MTA as well

Fellows Mar 7, 2023

@GossiTheDog If you had to guess, how long before this becomes a problem for anyone who didn’t apply February’s Office updates?

Martijn Grooten Mar 7, 2023

@GossiTheDog Office CVEs are the only ones I know by heart. They tend to have a very long tail.

Raph Jul 5, 2023

@GossiTheDog what's your #gossimonitoring thing ?

Rairii Mar 6, 2023

@GossiTheDog i dunno, that mitigation sounds great to most of the rest of us

0bondo7 Mar 6, 2023

@GossiTheDog nahhh

@GossiTheDog I hate HTML eMails and don't use #Outlook even if it were to run on #Linux (#OWA doesn't count!) so I count this as an absolute win.

NosirrahSec 🏴‍☠️ guillotine enthusiast Mar 6, 2023

@kkarhan @GossiTheDog your preferences and feelings really don't matter to businesses and their daily operations.

@NosirrahSec @GossiTheDog That goes bidirectional tho.

I refuse to work with shitty Govware (Windows, Office) or handle bad formats only useful for spreading Malware (OOXML) and instead enforce open standards (PDF, OpenDocument) instead...

NosirrahSec 🏴‍☠️ guillotine enthusiast Mar 6, 2023

@kkarhan @GossiTheDog

@NosirrahSec @GossiTheDog someone needs to be that annoying guy, even if that means people will hate me for that.

In the end, my hunches turn out to be ture...

LisPi Mar 7, 2023

@kkarhan @GossiTheDog Yeah, #plaintext and #RFC1896 only have a place in #email.

@lispi314 @GossiTheDog I just hate the #bloat that is #HTML #eMail.

If someone wants to show me something fancy, they could just attach a #PDF like a normal person...

ITX Mike Mar 6, 2023

@GossiTheDog Looks like a great way to get folks back to their email roots! 😂

Bálint Szilakszi Mar 6, 2023

@GossiTheDog ahaha

NosirrahSec 🏴‍☠️ guillotine enthusiast Mar 6, 2023

Hahahaha

My clients: "TF U DO?!?!"

Fellows Mar 6, 2023

@NosirrahSec @GossiTheDog I quite literally laughed out loud at this, thanks for that!

Frank Barton Mar 6, 2023

@GossiTheDog I'm getting flashbacks... and not the good kind...
KAK
MYDOOM

/me shakes magic 8-ball
Outlook Not So Good

Gustav H Meyer Mar 6, 2023

@GossiTheDog well played Microsoft! 😀

Nicholas Weaver Mar 6, 2023

@GossiTheDog @fellows
Ohh, wormify it and we can party like its 1999... Well, 2000. You know what I mean.

Andrzej Stamburski Mar 6, 2023

@GossiTheDog @fellows My company is more worried about me viewing my emails via webbrowser, than via "company protected" laptop and outlook on it. I guess they know better.

AlienKnight Mar 6, 2023

@GossiTheDog Now that *is* interesting. I had no idea that Outlook renders RTF files without any real engagement. Huh. Seems a bit... weird to do that. Thanks for sharing the info^^

TheTomas Mar 6, 2023

@GossiTheDog @fellows LOL for many years I urge companies to use text-only-mails without any mine-type-content HTML. WTF it's 2023! RTF is still around? Shame on you Microsoft for this and such advice. Use proper applied SRP in your AD and you are quite safe aswell whatever Outlook does or not does.

Brian Clark Mar 7, 2023

@GossiTheDog @fellows today is a good day to block incoming RTF files via your email and web security gateways (but you are all very smart and do this already, right?)

Martijn van Dijk Mar 7, 2023

@GossiTheDog @fellows oh dear. If exploits start floating around it’s going to be fun for some major German corporations. They are heavy users of s/mime. Microsoft better patch this quick.

Fellows Mar 7, 2023

@martijn_vdijk @GossiTheDog this was patched in the Feb 2023 Microsoft Office Updates

LisPi Mar 7, 2023

@GossiTheDog @fellows lol, yet another #RCE that'd have been prevented by the most basic of #LanguageBasedSecurity.

Microsoft knows this too (https://en.wikipedia.org/wiki/Singularity_(operating_system)), why do they keep ignoring their own knowledge?

Singularity (operating system) - Wikipedia

Ellis Pritchard Mar 8, 2023

@GossiTheDog Nobody reads the Office SDK: https://learn.microsoft.com/en-us/office/vba/api/Outlook.MailItem.RTFBody ?

MailItem.RTFBody property (Outlook)

Office VBA reference topic