Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-31275: TALOS-2023-1748 || Cisco Talos Intelligence Group

An uninitialized pointer use vulnerability exists in the functionality of WPS Office 11.2.0.11537 that handles Data elements in an Excel file. A specially crafted malformed file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE
#vulnerability#windows#microsoft#cisco#intel#c++#rce

SUMMARY

An uninitialized pointer use vulnerability exists in the functionality of WPS Office 11.2.0.11537 that handles Data elements in an Excel file. A specially crafted malformed file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WPS Office 11.2.0.11537

PRODUCT URLS

WPS Office - https://www.wps.com/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-457 - Use of Uninitialized Variable

DETAILS

WPS Office, previously known as a Kingsoft Office, is a suite of tools used for productivity in both a corporate environment and by individual users. It offers a range of tools, such as WPS Spreadsheets for spreadsheets, WPS Writer for document editing and so on.

When we run et.exe under the debugger with PageHeap turned on we can observer the following result:

(1ba8.2d30): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 406EFF7:0
eax=00000000 ebx=83eceb4c ecx=c0c0c0c0 edx=0df81164 esi=83ecec98 edi=77cf8fc8
eip=6723b200 esp=83eceab8 ebp=83eceb14 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
kso!WStr::data:
6723b200 8b01            mov     eax,dword ptr [ecx]  ds:002b:c0c0c0c0=????????

c0c0c0c0 is a typical value set by the page heap manager in freshly allocated heap chunks to simplify detection of uninitialized variable usage. We can find a confirmation of this theory going back few steps to obtain an address from which this value has been read:

0:015> p-
Time Travel Position: 406EFF6:1D
eax=00000000 ebx=83eceb4c ecx=81804ff0 edx=0df81164 esi=83ecec98 edi=77cf8fc8
eip=841d6303 esp=83eceabc ebp=83eceb14 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
ethtmlrw2!html2::Attr::~Attr+0x42243:
841d6303 8b4904          mov     ecx,dword ptr [ecx+4] ds:002b:81804ff4=c0c0c0c0

Now, checking write events related to the 81804ff4 address :

================================================================================================================================================
  = (+)     EventType = (+) ThreadId = (+) UniqueThreadId = (+) TimeStart  = (+) TimeEnd    = (+) AccessType = (+) IP        = (+) Address   = (+) Size = (+) Value     = (+) OverwrittenValue 
 =[0xa0]    - 0x1           - 0x2d30       - 0x39            - 406E0FE:3A     - 406E0FE:3A       - Write     - 0x77699095    - 0x81804ff4        - 0x4      - 0xc0c0c0c0         - 0x0   

and going back to the latest one:

0:015> dx -r1 @$create("Debugger.Models.TTD.Position", 67559678, 58)
@$create("Debugger.Models.TTD.Position", 67559678, 58)                 : 406E0FE:3A [Time Travel]
    Sequence         : 0x406e0fe
    Steps            : 0x3a
    SeekTo           [Method which seeks to time position]
    ToSystemTime     [Method which obtains the approximate system time at a given position]
0:015> dx -s @$create("Debugger.Models.TTD.Position", 67559678, 58).SeekTo()
(1ba8.2d30): Break instruction exception - code 80000003 (first/second chance not available)
Time Travel Position: 406E0FE:3A
0:015> r
eax=c0c0c0c0 ebx=00000000 ecx=00000002 edx=00000000 esi=81804ff0 edi=81804ff4
eip=77699095 esp=83ece6ec ebp=83ece728 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!memset+0x45:
77699095 f3ab            rep stos dword ptr es:[edi]
0:015> kb
 # ChildEBP RetAddr      Args to Child              
00 83ece6ec 6ba2a8de     81804ff0 000000c0 0000000c ntdll!memset+0x45
01 83ece728 776ff29e     049a0000 01000002 0000000c verifier!AVrfDebugPageHeapAllocate+0x26e
02 83ece798 77667170     0000000c 38cbb804 049a0000 ntdll!RtlDebugAllocateHeap+0x39
03 83ece944 77666ecc     0000000c 00000018 00000000 ntdll!RtlpAllocateHeap+0xf0
04 83ece9e0 77665e6e     00000000 00000000 0000000c ntdll!RtlpAllocateHeapInternal+0x104c
05 83ece9fc 76830166     049a0000 00000000 0000000c ntdll!RtlAllocateHeap+0x3e
06 83ecea18 841e4c8c     0000000c 83ecea80 841c3e02 ucrtbase!_malloc_base+0x26
WARNING: Stack unwind information not available. Following frames may be wrong.
07 83ecea24 841c3e02     0000000c e648046e 84263348 ethtmlrw2!html2::AttrPack::Compare+0x9f0c
08 83ecea80 841bf2ab     77cfafe0 e64805f6 6fef4ff0 ethtmlrw2!html2::Attr::~Attr+0x2fd42
09 83eceb18 841c4816     714cef00 84263310 7ce5ffb0 ethtmlrw2!html2::Attr::~Attr+0x2b1eb
0a 83eceb30 841c8f74     714cef00 84263310 84263310 ethtmlrw2!html2::Attr::~Attr+0x30756
0b 83eceb44 84170330     7ce5dfe8 4b14cfe0 7cb50ec0 ethtmlrw2!html2::Attr::~Attr+0x34eb4
0c 83eced20 8416f595     6fef0c00 83eced94 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x30a0
0d 83eced5c 67393f3b     73b12fc8 6fef0c00 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x2305
0e 83eceda4 67372cf8     6fef0c00 43d04398 7bfd1000 kso!vml::LegacyDomShapeAcceptor::Transform+0x4b
0f 83ecedd0 6736cd34     6fef0c00 6fe46ff0 43d04070 kso!vml::TFill::Transform+0x1ea8
10 83ecee38 6723d584     83ecf080 6fef0c00 6fef4ff0 kso!vml::VmlDrawingHandler::AddElementAttr+0x784
11 83ecee4c 8416009b     72c76fe8 00490046 00000001 kso!XmlFxSetGlobalMapperHelper2::BeginSet+0xd4
12 83ecee64 84169634     83ecf0b4 00490046 500d2800 ethtmlrw2!html2::StrId::operator!=+0x397b
13 83ecee88 674ff633     4ca0e800 3245efd8 500d2800 ethtmlrw2!html2::StrId::operator!=+0xcf14
14 83eceecc 6750cc0b     7eb8efd0 00000007 6751b800 kso!curl_easy_reset+0xfe81
15 83ecef60 6750c34f     83ecef8b 43d041d4 83ecf28c kso!curl_easy_reset+0x1d459
16 83ecef9c 6750c4a4     00000000 43d04198 83ecf28c kso!curl_easy_reset+0x1cb9d
17 83ecefd0 674fffdc     83ecf030 43d05e5c 83ecf28c kso!curl_easy_reset+0x1ccf2
18 83ecf014 671f9c82     83ecf030 43d05e14 83ecf28c kso!curl_easy_reset+0x1082a
19 83ecf05c 8416279f     54b5af88 5fea6fe8 ffffffff kso!XSAXParse+0x62
1a 83ecf0fc 8416385d     83ecf058 5fea6fe8 7ab56fd0 ethtmlrw2!html2::StrId::operator!=+0x607f
1b 83ecf190 84163a8c     50518fe0 2a810568 e6481f02 ethtmlrw2!html2::StrId::operator!=+0x713d
1c 83ecf1ec 8416180c     59d3cf0c e6481cc2 78272fc8 ethtmlrw2!html2::StrId::operator!=+0x736c
1d 83ecf22c 841902e0     59d3cee8 00000000 e6481db6 ethtmlrw2!html2::StrId::operator!=+0x50ec
1e 83ecf358 8418fae7     59d3cec8 83ecf444 e6481d2a ethtmlrw2!html2::UrlStack::~UrlStack+0x35c0
1f 83ecf3c4 8418e3a4     59d3cec8 83ecf408 0d8f1bc0 ethtmlrw2!html2::UrlStack::~UrlStack+0x2dc7
20 83ecf494 8417d4ca     e64819ba 0029aff0 6e7b0fb8 ethtmlrw2!html2::UrlStack::~UrlStack+0x1684
21 83ecf754 84153f6f     00d3d3e4 7cb50ec0 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x437a
22 83ecf790 841549d9     6e7b0fb8 84155d1f e648192e ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
23 83ecf7c0 76844f9f     6e308c40 fd73b30e 76844f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xb29
24 83ecf7f8 76450099     5013afe8 76450080 83ecf864 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
25 83ecf808 77687b6e     5013afe8 38cba924 00000000 KERNEL32!BaseThreadInitThunk+0x19
26 83ecf864 77687b3e     ffffffff 776a8ca2 00000000 ntdll!__RtlUserThreadStart+0x2f
27 83ecf874 00000000     76844f60 5013afe8 00000000 ntdll!_RtlUserThreadStart+0x1b

We can see that the 0xc0c0c0c0 value was set by one of the internal page heap manager functions.

Further investigation revealed that the uninitialized value read is related to the Data element, or, more precisely, its absence in a malformed file. The Data element, according to the documentation, is an obligatory element inside the Caption element, and it turned out that developers following the documentation assumed its existence without proper checks. That assumption lead to the vulnerability described above.

The value of uninitialized Data object pointer in further code is used in both read and write operations, which, in a combination with proper heap grooming, can lead to precise memory corruption and in consequence remote code execution.

Crash Information

(1ba8.2d30): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 406EFF7:0
eax=00000000 ebx=83eceb4c ecx=c0c0c0c0 edx=0df81164 esi=83ecec98 edi=77cf8fc8
eip=6723b200 esp=83eceab8 ebp=83eceb14 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
kso!WStr::data:
6723b200 8b01            mov     eax,dword ptr [ecx]  ds:002b:c0c0c0c0=????????


0:015> kb
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 83eceb14 841ba621     77cf8fc8 55166f40 e64805b2 kso!WStr::data
01 83eceb5c 84170349     e64803ce 80004005 83eced94 ethtmlrw2!html2::Attr::~Attr+0x26561
02 83eced20 8416f595     6fef0c00 83eced94 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x30b9
03 83eced5c 67393f3b     73b12fc8 6fef0c00 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x2305
04 83eceda4 67372cf8     6fef0c00 43d04398 7bfd1000 kso!vml::LegacyDomShapeAcceptor::Transform+0x4b
05 83ecedd0 6736cd34     6fef0c00 6fe46ff0 43d04070 kso!vml::TFill::Transform+0x1ea8
06 83ecee38 6723d584     83ecf080 6fef0c00 6fef4ff0 kso!vml::VmlDrawingHandler::AddElementAttr+0x784
07 83ecee4c 8416009b     72c76fe8 00490046 00000001 kso!XmlFxSetGlobalMapperHelper2::BeginSet+0xd4
08 83ecee64 84169634     83ecf0b4 00490046 500d2800 ethtmlrw2!html2::StrId::operator!=+0x397b
09 83ecee88 674ff633     4ca0e800 3245efd8 500d2800 ethtmlrw2!html2::StrId::operator!=+0xcf14
0a 83eceecc 6750cc0b     7eb8efd0 00000007 6751b800 kso!curl_easy_reset+0xfe81
0b 83ecef60 6750c34f     83ecef8b 43d041d4 83ecf28c kso!curl_easy_reset+0x1d459
0c 83ecef9c 6750c4a4     00000000 43d04198 83ecf28c kso!curl_easy_reset+0x1cb9d
0d 83ecefd0 674fffdc     83ecf030 43d05e5c 83ecf28c kso!curl_easy_reset+0x1ccf2
0e 83ecf014 671f9c82     83ecf030 43d05e14 83ecf28c kso!curl_easy_reset+0x1082a
0f 83ecf05c 8416279f     54b5af88 5fea6fe8 ffffffff kso!XSAXParse+0x62
10 83ecf0fc 8416385d     83ecf058 5fea6fe8 7ab56fd0 ethtmlrw2!html2::StrId::operator!=+0x607f
11 83ecf190 84163a8c     50518fe0 2a810568 e6481f02 ethtmlrw2!html2::StrId::operator!=+0x713d
12 83ecf1ec 8416180c     59d3cf0c e6481cc2 78272fc8 ethtmlrw2!html2::StrId::operator!=+0x736c
13 83ecf22c 841902e0     59d3cee8 00000000 e6481db6 ethtmlrw2!html2::StrId::operator!=+0x50ec
14 83ecf358 8418fae7     59d3cec8 83ecf444 e6481d2a ethtmlrw2!html2::UrlStack::~UrlStack+0x35c0
15 83ecf3c4 8418e3a4     59d3cec8 83ecf408 0d8f1bc0 ethtmlrw2!html2::UrlStack::~UrlStack+0x2dc7
16 83ecf494 8417d4ca     e64819ba 0029aff0 6e7b0fb8 ethtmlrw2!html2::UrlStack::~UrlStack+0x1684
17 83ecf754 84153f6f     00d3d3e4 7cb50ec0 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x437a
18 83ecf790 841549d9     6e7b0fb8 84155d1f e648192e ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
19 83ecf7c0 76844f9f     6e308c40 fd73b30e 76844f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xb29
1a 83ecf7f8 76450099     5013afe8 76450080 83ecf864 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
1b 83ecf808 77687b6e     5013afe8 38cba924 00000000 KERNEL32!BaseThreadInitThunk+0x19
1c 83ecf864 77687b3e     ffffffff 776a8ca2 00000000 ntdll!__RtlUserThreadStart+0x2f
1d 83ecf874 00000000     76844f60 5013afe8 00000000 ntdll!_RtlUserThreadStart+0x1b


0:015> lmv et
start    end        module name
00020000 0016c000   et       
    Loaded symbol image file: et.exe
    Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\et.exe
    Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\et.exe
    Image name: et.exe
    Browse all global symbols  functions  data
    Timestamp:        Tue Apr 25 08:42:37 2023 (6447765D)
    CheckSum:         0014FD10
    ImageSize:        0014C000
    File version:     11.2.0.11537
    Product version:  11.2.0.11537
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        0.0 Unknown
    File date:        00000000.00000000
    Translations:     0000.04b0
    Information from resource tables:
        CompanyName:      Zhuhai Kingsoft Office Software Co.,Ltd
        ProductName:      WPS Office
        InternalName:     et
        OriginalFilename: et.exe
        ProductVersion:   11,2,0,11537
        FileVersion:      11,2,0,11537
        FileDescription:  WPS Spreadsheets
        LegalCopyright:   Copyright©2023 Kingsoft Corporation. All rights reserved.
65ac0000 68a6c000   kso      
    Loaded symbol image file: kso.dll
    Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kso.dll
    Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kso.dll
    Image name: kso.dll
    Browse all global symbols  functions  data
    Timestamp:        Tue Apr 25 09:02:21 2023 (64477AFD)
    CheckSum:         02F68F73
    ImageSize:        02FAC000
    File version:     11.2.0.11537
    Product version:  11.2.0.11537
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        0.0 Unknown
    File date:        00000000.00000000
    Translations:     0000.04b0
    Information from resource tables:
        CompanyName:      Zhuhai Kingsoft Office Software Co.,Ltd
        ProductName:      WPS Office
        InternalName:     kso
        OriginalFilename: kso.dll
        ProductVersion:   11,2,0,11537
        FileVersion:      11,2,0,11537
        FileDescription:  WPS Office Module
        LegalCopyright:   Copyright©2023 Kingsoft Corporation. All rights reserved.
69900000 69e02000   Qt5CoreKso 
    Loaded symbol image file: Qt5CoreKso.dll
    Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5CoreKso.dll
    Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5CoreKso.dll
    Image name: Qt5CoreKso.dll
    Browse all global symbols  functions  data
    Timestamp:        Tue Apr 25 06:37:12 2023 (644758F8)
    CheckSum:         00503D31
    ImageSize:        00502000
    File version:     5.12.10.0
    Product version:  5.12.10.0
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    Information from resource tables:
        CompanyName:      The Qt Company Ltd.
        ProductName:      Qt5
        OriginalFilename: Qt5CoreKso.dll
        ProductVersion:   5.12.10.0
        FileVersion:      5.12.10.0
        FileDescription:  C++ Application Development Framework
        LegalCopyright:   Copyright (C) 2020 The Qt Company Ltd.
6ba20000 6ba85000   verifier 
    Loaded symbol image file: verifier.dll
    Mapped memory image file: C:\ProgramData\Dbg\sym\verifier.dll\D131439B65000\verifier.dll
    Image path: C:\WINDOWS\SysWOW64\verifier.dll
    Image name: verifier.dll
    Browse all global symbols  functions  data
    Image was built with /Brepro flag.
    Timestamp:        D131439B (This is a reproducible build file hash, not a timestamp)
    CheckSum:         000613E9
    ImageSize:        00065000
    File version:     10.0.19041.1
    Product version:  10.0.19041.1
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    Information from resource tables:
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     verifier.dll
        OriginalFilename: verifier.dll
        ProductVersion:   10.0.19041.1
        FileVersion:      10.0.19041.1 (WinBuild.160101.0800)
        FileDescription:  Standard application verifier provider dll
        LegalCopyright:   © Microsoft Corporation. All rights reserved.
84150000 84274000   ethtmlrw2 
    Loaded symbol image file: ethtmlrw2.dll
    Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ethtmlrw2.dll
    Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ethtmlrw2.dll
    Image name: ethtmlrw2.dll
    Browse all global symbols  functions  data
    Timestamp:        Tue Apr 25 09:34:34 2023 (6447828A)
    CheckSum:         00130A73
    ImageSize:        00124000
    File version:     11.2.0.11537
    Product version:  11.2.0.11537
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        0.0 Unknown
    File date:        00000000.00000000
    Translations:     0000.04b0
    Information from resource tables:
        CompanyName:      Zhuhai Kingsoft Office Software Co.,Ltd
        ProductName:      WPS Office
        InternalName:     ethtmlrw2
        OriginalFilename: ethtmlrw2.dll
        ProductVersion:   11,2,0,11537
        FileVersion:      11,2,0,11537
        FileDescription:  
        LegalCopyright:   Copyright©2023 Kingsoft Corporation. All rights reserved.

TIMELINE

2023-05-15 - Vendor Disclosure
2023-07-11 - Follow-up
2023-07-13 - Follow-up reminder of 90-day deadline
2023-08-03 - Follow-up
2023-08-07 - Follow-up
2023-08-28 - Follow-up with suggest release date
2023-11-27 - Public Release

Discovered by Marcin ‘Icewall’ Noga of Cisco Talos.

Related news

Remote code execution vulnerabilities found in Buildroot, Foxit PDF Reader

Cisco Talos has disclosed 10 vulnerabilities over the past two weeks, including nine that exist in a popular online PDF reader that offers a browser plugin.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907