Telspace Systems Security Advisory
TSA-2017-004: WPS Office Writer out of bounds read vulnerability
CVE number
CVE-2017-12916
Summary
A remote vulnerability exists in the .doc parsing functionality of WPS Writer. A specially crafted .doc file can cause an out of bounds read vulnerability resulting in potential information leak or denial of service. User interaction is required to trigger this vulnerability.
Vendor
Kingsoft
Product
WPS Writer
Versions
10.2.0.5908
Vendor URL
https://www.wps.com
Details and crash information
The affected component is docreader.dll which causes a crash at a dr_CreateSource function:
(7f8.1c0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=0a9fab15 edx=0bcc03f0 esi=0aa26ad8 edi=019fab15
eip=6bb76604 esp=0019ea24 ebp=0019ea6c iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010287
docreader!dr_CreateSource3Ex+0x1cff:
6bb76604 0fb607 movzx eax,byte ptr [edi] ds:002b:019fab15=??
Vendor response
The vendor has patched the vulnerability and released a new version - 10.2.0.5934
Disclosure Timeline
09-08-2017 – Initial Discovery
18-08-2017 – Vendor Notification
29-08-2017 – Vendor Patch
xx-09-2017 – Public Disclosure
Credit
This vulnerability was discovered by Dmitri Kaslov of Telspace Systems