Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability
Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.
Sublime rule (View on GitHub)
1name: "Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability"
2description: |
3 Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.
4references:
5 - "https://delivr.to/payloads?id=0a465e03-82a7-42c1-9ded-b0b6b046c86d"
6 - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716"
7 - "https://twitter.com/jduck/status/1632471544935923712"
8 - "https://github.com/gyaansastra/CVE-2023-21716"
9type: "rule"
10severity: "high"
11source: |
12 type.inbound
13 and any(attachments,
14 (
15 .file_extension in~ ("rtf", "doc", "docx")
16 or .file_extension in~ $file_extensions_common_archives
17 or .file_extension in~ $file_extensions_macros
18 or (
19 .file_extension is null
20 and .file_type == "unknown"
21 and .content_type == "application/octet-stream"
22 and .size < 100000000
23 )
24 )
25 and any(file.explode(.),
26 any(.scan.strings.strings, strings.ilike(., '*\fonttbl*'))
27 and length(filter(.scan.strings.strings, strings.ilike(., '{\f*;}'))) > 10000
28 )
29 )
30attack_types:
31 - "Malware/Ransomware"
32tactics_and_techniques:
33 - "Exploit"
34detection_methods:
35 - "Content analysis"
36 - "File analysis"
37id: "23714cca-f0c6-5fa5-a68b-98c9d60a508d"