WPS Office < 2016 - '.xls' Heap Memory Corruption

• Exploit Database
• 116 阅读

• 作者： Francis Provencher
  日期： 2016-02-01
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39398/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71

  #####################################################################################   Application: WPS Office   Platforms: Windows   Versions: Version 2016   Author: Francis Provencher of COSIG   Twitter: @COSIG_   #####################################################################################   1) Introduction 2) Report Timeline 3) Technical details 4) POC   #####################################################################################   =============== 1) Introduction ===============   WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office   suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.   WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.   The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.   (https://en.wikipedia.org/wiki/WPS_Office)   #####################################################################################   ============================ 2) Report Timeline ============================   2015-12-31: Francis Provencher from COSIG report the issue to WPS; 2016-01-04: WPS security confirm this issue; 2016-01-14: COSIG ask an update status; 2016-01-21: COSIG ask an update status; 2016-02-01: COSIG release this advisory;   #####################################################################################   ============================ 3) Technical details ============================   This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS. User interaction is required to exploit this vulnerability in that the target must open a malicious file. By providing a malformed .xls file, an attacker can cause an heap memory corruption. An attacker could leverage this to execute arbitrary code under the context of the WPS Spreadsheet process.   #####################################################################################   ===========   4) POC   ===========   http://protekresearchlab.com/exploits/COSIG-2016-07.xlsx https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39398.zip   ###############################################################################