WPS Office < 2016 - '.ppt' Heap Memory Corruption

• Exploit Database
• 15 阅读

• 作者： Francis Provencher
  日期： 2016-02-01
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39395/

• #####################################################################################
  
  Application: WPS Office
  
  Platforms: Windows
  
  Versions: Version before 2016
  
  Author: Francis Provencher of COSIG
  
  Twitter: @COSIG_
  
  #####################################################################################
  
  1) Introduction
  2) Report Timeline
  3) Technical details
  4) POC
  
  #####################################################################################
  
  ===============
  1) Introduction
  ===============
  
  WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
  
  suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
  
  WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
  
  The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
  
  (https://en.wikipedia.org/wiki/WPS_Office)
  
  #####################################################################################
  
  ============================
  2) Report Timeline
  ============================
  
  2015-11-24: Francis Provencher from COSIG report the issue to WPS;
  2015-12-06: WPS security confirm this issue;
  2016-01-01: COSIG ask an update status;
  2016-01-07: COSIG ask an update status;
  2016-01-14: COSIG ask an update status;
  2016-01-21: COSIG ask an update status;
  2016-02-01: COSIG release this advisory;
  
  #####################################################################################
  
  ============================
  3) Technical details
  ============================
  
  The specific flaw exists within the handling of a crafted PPT files with an invalid value into “texttype” in the “clientTextBox”
  into a “DrawingContainer”. An heap memory corruption occured and could allow remote attackers to execute arbitrary code
  on vulnerable installations of WPS. User interaction is required to exploit this vulnerability, the target must open a malicious file.
  
  #####################################################################################
  
  ===========
  
  4) POC
  
  ===========
  
  http://protekresearchlab.com/exploits/COSIG-2016-04.ppt
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39395.zip
  
  ###############################################################################