WPS Office Vulnerability

vendor:

WPS Office

by:

Francis Provencher of COSIG

8,8

CVSS

HIGH

Stack-based Buffer Overflow

119

CWE

Product Name: WPS Office

Affected Version From: Version 2016

Affected Version To: Version 2016

Patch Exists: Yes

Related CWE: N/A

CPE: a:kingsoft:wps_office

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2015

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS. User interaction is required to exploit this vulnerability in that the target must open a malicious file. The specific flaw exists within the handling of a crafted Presentation files with an invalid “Length” header in a drawingContainer. By providing a malformed .ppt file, an attacke can cause a stack-based buffer overflow, resulting in code execution under the context of the current process.

Mitigation:

Update to the latest version of WPS Office

Source

Exploit-DB raw data:

#####################################################################################

Application: WPS Office

Platforms: Windows

Versions: Version 2016

Author: Francis Provencher of COSIG

Twitter: @COSIG_

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office

suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.

WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.

The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.

(https://en.wikipedia.org/wiki/WPS_Office)

#####################################################################################

============================
2) Report Timeline
============================

2015-12-31: Francis Provencher from COSIG report the issue to WPS;
2016-01-04: WPS security confirm this issue;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;

#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
User interaction is required to exploit this vulnerability in that the target must open a malicious file.

The specific flaw exists within the handling of a crafted Presentation files with an invalid “Length” header in a drawingContainer.
By providing a malformed .ppt file, an attacker can cause an memory corruption by dereferencing an uninitialized pointer.

#####################################################################################

===========

4) POC

===========

http://protekresearchlab.com/exploits/COSIG-2016-06.ppt
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39397.zip

###############################################################################