WPS Office < 2016 - '.ppt' drawingContainer Memory Corruption

2016-02-01T00:00:00
ID 1337DAY-ID-25809
Type zdt
Reporter Francis Provencher
Modified 2016-02-01T00:00:00

Description

Exploit for windows platform in category dos / poc

                                        
                                            #####################################################################################
 
Application: WPS Office
 
Platforms: Windows
 
Versions: Version 2016
 
Author: Francis Provencher of COSIG
 
Twitter: @COSIG_
 
#####################################################################################
 
1) Introduction
2) Report Timeline
3) Technical details
4) POC
 
#####################################################################################
 
===============
1) Introduction
===============
 
WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
 
suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
 
WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
 
The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
 
(https://en.wikipedia.org/wiki/WPS_Office)
 
#####################################################################################
 
============================
2) Report Timeline
============================
 
2015-12-31: Francis Provencher from COSIG report the issue to WPS;
2016-01-04: WPS security confirm this issue;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;
 
#####################################################################################
 
============================
3) Technical details
============================
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
User interaction is required to exploit this vulnerability in that the target must open a malicious file.
 
The specific flaw exists within the handling of a crafted Presentation files with an invalid “Length” header in a drawingContainer.
By providing a malformed .ppt file, an attacker can cause an memory corruption by dereferencing an uninitialized pointer.
 
#####################################################################################
 
===========
 
4) POC
 
===========
 
http://protekresearchlab.com/exploits/COSIG-2016-06.ppt
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39397.zip
 
###############################################################################

#  0day.today [2018-02-06]  #