WPS Office < 2016 .ppt drawingContainer Memory Corruption

2016.02.02
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

##################################################################################### Application: WPS Office Platforms: Windows Versions: Version 2016 Author: Francis Provencher of COSIG Twitter: @COSIG_ ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft. WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet. The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends. (https://en.wikipedia.org/wiki/WPS_Office) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-12-31: Francis Provencher from COSIG report the issue to WPS; 2016-01-04: WPS security confirm this issue; 2016-01-14: COSIG ask an update status; 2016-01-21: COSIG ask an update status; 2016-02-01: COSIG release this advisory; ##################################################################################### ============================ 3) Technical details ============================ This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS. User interaction is required to exploit this vulnerability in that the target must open a malicious file. The specific flaw exists within the handling of a crafted Presentation files with an invalid “Length” header in a drawingContainer. By providing a malformed .ppt file, an attacker can cause an memory corruption by dereferencing an uninitialized pointer. ##################################################################################### =========== 4) POC =========== http://protekresearchlab.com/exploits/COSIG-2016-06.ppt ###############################################################################

References:

http://protekresearchlab.com/exploits/COSIG-2016-06.ppt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top