WPS Office < 2016 - .doc OneTableDocumentStream Memory Corruption

2016.02.02
Credit: Francis Provencher
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

##################################################################################### Application: WPS Office Platforms: Windows Versions: Version before 2016 Author: Francis Provencher of COSIG Twitter: @COSIG_ ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft. WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet. The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends. (https://en.wikipedia.org/wiki/WPS_Office) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-11-24: Francis Provencher from COSIG report the issue to WPS; 2015-12-06: WPS security confirm this issue; 2016-01-01: COSIG ask an update status; 2016-01-07: COSIG ask an update status; 2016-01-14: COSIG ask an update status; 2016-01-21: COSIG ask an update status; 2016-02-01: COSIG release this advisory; ##################################################################################### ============================ 3) Technical details ============================ This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS. User interaction is required to exploit this vulnerability, the target must open a malicious file. The specific flaw exists within the handling of a crafted DOC files with an invalid value into the “OneTableDocumentStream” data section causing a stackbase memory corruption. ############################################################################### =========== 4) POC =========== http://protekresearchlab.com/exploits/COSIG-2016-05.doc ###############################################################################

References:

http://protekresearchlab.com/exploits/COSIG-2016-05.doc


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top