WPS Office < 2016 - .xls Heap Memory Corruption

2016.02.02
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

##################################################################################### Application: WPS Office Platforms: Windows Versions: Version 2016 Author: Francis Provencher of COSIG Twitter: @COSIG_ ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft. WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet. The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends. (https://en.wikipedia.org/wiki/WPS_Office) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-12-31: Francis Provencher from COSIG report the issue to WPS; 2016-01-04: WPS security confirm this issue; 2016-01-14: COSIG ask an update status; 2016-01-21: COSIG ask an update status; 2016-02-01: COSIG release this advisory; ##################################################################################### ============================ 3) Technical details ============================ This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS. User interaction is required to exploit this vulnerability in that the target must open a malicious file. By providing a malformed .xls file, an attacker can cause an heap memory corruption. An attacker could leverage this to execute arbitrary code under the context of the WPS Spreadsheet process. ##################################################################################### =========== 4) POC =========== http://protekresearchlab.com/exploits/COSIG-2016-07.xlsx ###############################################################################

References:

http://protekresearchlab.com/exploits/COSIG-2016-07.xlsx


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top