WPS Office < 2016 - '.doc' OneTableDocumentStream Memory Corruption

EDB-ID:

39396

CVE:

N/A




Platform:

Windows

Date:

2016-02-01


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

#####################################################################################

Application: WPS Office

Platforms: Windows

Versions: Version before 2016

Author: Francis Provencher of COSIG

Twitter: @COSIG_

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office

suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.

WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.

The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.

(https://en.wikipedia.org/wiki/WPS_Office)

#####################################################################################

============================
2) Report Timeline
============================

2015-11-24: Francis Provencher from COSIG report the issue to WPS;
2015-12-06: WPS security confirm this issue;
2016-01-01: COSIG ask an update status;
2016-01-07: COSIG ask an update status;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;

#####################################################################################

============================
3) Technical details
============================

 

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
User interaction is required to exploit this vulnerability, the target must open a malicious file.
The specific flaw exists within the handling of a crafted DOC files with an invalid value into the “OneTableDocumentStream”
data section causing a stackbase memory corruption.
###############################################################################

===========

4) POC

===========

http://protekresearchlab.com/exploits/COSIG-2016-05.doc
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39396.zip

###############################################################################