WPS Office < 2016 - .ppt Heap Memory Corruption

2016.02.02
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

##################################################################################### Application: WPS Office Platforms: Windows Versions: Version before 2016 Author: Francis Provencher of COSIG Twitter: @COSIG_ ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft. WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet. The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends. (https://en.wikipedia.org/wiki/WPS_Office) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-11-24: Francis Provencher from COSIG report the issue to WPS; 2015-12-06: WPS security confirm this issue; 2016-01-01: COSIG ask an update status; 2016-01-07: COSIG ask an update status; 2016-01-14: COSIG ask an update status; 2016-01-21: COSIG ask an update status; 2016-02-01: COSIG release this advisory; ##################################################################################### ============================ 3) Technical details ============================ The specific flaw exists within the handling of a crafted PPT files with an invalid value into “texttype” in the “clientTextBox” into a “DrawingContainer”. An heap memory corruption occured and could allow remote attackers to execute arbitrary code on vulnerable installations of WPS. User interaction is required to exploit this vulnerability, the target must open a malicious file. ##################################################################################### =========== 4) POC =========== http://protekresearchlab.com/exploits/COSIG-2016-04.ppt ###############################################################################

References:

http://protekresearchlab.com/exploits/COSIG-2016-04.ppt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top