Heap Memory Corruption in WPS Office

vendor:

WPS Office

by:

Francis Provencher of COSIG

8,8

CVSS

HIGH

Heap Memory Corruption

119

CWE

Product Name: WPS Office

Affected Version From: Version 2016

Affected Version To: Version 2016

Patch Exists: YES

Related CWE: N/A

CPE: a:kingsoft:wps_office

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2015

Heap Memory Corruption in WPS Office

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS. User interaction is required to exploit this vulnerability in that the target must open a malicious file. By providing a malformed .xls file, an attacker can cause an heap memory corruption. An attacker could leverage this to execute arbitrary code under the context of the WPS Spreadshet application.

Mitigation:

Users should avoid opening untrusted files and should update to the latest version of WPS Office.

Source

Exploit-DB raw data:

#####################################################################################

Application: WPS Office

Platforms: Windows

Versions: Version 2016

Author: Francis Provencher of COSIG

Twitter: @COSIG_

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office

suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.

WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.

The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.

(https://en.wikipedia.org/wiki/WPS_Office)

#####################################################################################

============================
2) Report Timeline
============================

2015-12-31: Francis Provencher from COSIG report the issue to WPS;
2016-01-04: WPS security confirm this issue;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;

#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
User interaction is required to exploit this vulnerability in that the target must open a malicious file.
By providing a malformed .xls file, an attacker can cause an heap memory corruption.
An attacker could leverage this to execute arbitrary code under the context of the WPS Spreadsheet process.

#####################################################################################

===========

4) POC

===========

http://protekresearchlab.com/exploits/COSIG-2016-07.xlsx
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39398.zip

###############################################################################