Monday, September 18, 2017

Telspace Systems Security Advisory (TSA-2017-004)

Telspace Systems Security Advisory

TSA-2017-004: WPS Office Writer out of bounds read vulnerability

CVE number
CVE-2017-12916

Summary
A remote vulnerability exists in the .doc parsing functionality of WPS Writer. A specially crafted .doc file can cause an out of bounds read vulnerability resulting in potential information leak or denial of service. User interaction is required to trigger this vulnerability.

Vendor
Kingsoft

Product
WPS Writer

Versions
10.2.0.5908

Vendor URL
https://www.wps.com

Details and crash information
The affected component is docreader.dll which causes a crash at a dr_CreateSource function:

(7f8.1c0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=0a9fab15 edx=0bcc03f0 esi=0aa26ad8 edi=019fab15
eip=6bb76604 esp=0019ea24 ebp=0019ea6c iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010287
docreader!dr_CreateSource3Ex+0x1cff:
6bb76604 0fb607          movzx   eax,byte ptr [edi]         ds:002b:019fab15=??

Vendor response
The vendor has patched the vulnerability and released a new version 10.2.0.5934

Disclosure Timeline
09-08-2017 – Initial Discovery
18-08-2017 – Vendor Notification
29-08-2017 – Vendor Patch
xx-09-2017 – Public Disclosure

Credit
This vulnerability was discovered by Dmitri Kaslov of Telspace Systems

Monday, September 11, 2017

Telspace Systems Security Advisory (TSA-2017-003)


Telspace Systems Security Advisory

TSA-2017-003: WPS Office Spreadsheet out of bounds read vulnerability

CVE number
CVE-2017-12918

Summary
A remote vulnerability exists in the .xls parsing functionality of WPS Spreadsheet. A specially crafted .xls file can cause an out of bounds read vulnerability resulting in potential information leak or code execution. User interaction is required to trigger this vulnerability.

Vendor
Kingsoft

Product
WPS spreadsheet

Versions
10.2.0.5908

Vendor URL
https://www.wps.com

Details and crash information
The affected component causes a crash at a memcpy function:

(1ddc.1fd0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\User-Pc\AppData\Local\Kingsoft\WPS Office\10.2.0.5908\office6\MSVCR100.dll -
(1ddc.1fd0): Access violation - code c0000005 (!!! second chance !!!)
eax=07862b89 ebx=07b500b4 ecx=000066e3 edx=00000000 esi=07848ffd edi=07b52aa4
eip=6f1d1ed7 esp=047df7ec ebp=047df7f4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202

MSVCR100!memcpy+0x57:
6f1d1ed7 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

Vendor response
The vendor has patched the vulnerability and released a new version - 10.2.0.5934

Disclosure Timeline
09-08-2017 – Initial Discovery
18-08-2017 – Vendor Notification
29-08-2017 – Vendor Patch
05-09-2017 – Public Disclosure

Credit
This vulnerability was discovered by Dmitri Kaslov of Telspace Systems

Wednesday, September 6, 2017

Telspace Systems Security Advisory (TSA-2017-002)


Telspace Systems Security Advisory

TSA-2017-002: WPS Office Spreadsheet invalid pointer read vulnerability

CVE number
CVE-2017-12915

Summary
A remote vulnerability exists in the .xls parsing functionality of WPS Spreadsheet. A specially crafted .xls file can cause an invalid pointer read vulnerability resulting in a potential information leak or a denial of service. User interaction is required to trigger this vulnerability.

Vendor
Kingsoft

Product
WPS spreadsheet

Versions
10.2.0.5908

Vendor URL
https://www.wps.com

Details and crash information
The affected component is excelrw.dll library in this function :
excelrw!chart::KETSeriesDataSourceProvider::chartTypeEx


(1e14.560): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\User-Pc\AppData\Local\Kingsoft\WPS Office\10.2.0.5908\office6\excelrw.dll -

eax=0439f78c ebx=9d953784 ecx=9d953784 edx=07f86948 esi=9d953784 edi=06012490

eip=6b8772bd esp=0439f774 ebp=0439f798 iopl=0 nv up ei pl nz na pe nc

cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206


excelrw!chart::KETSeriesDataSourceProvider::chartTypeEx+0x461fd:

6b8772bd 8b7e4a mov edi,dword ptr [esi+4Ah] ds:002b:9d9537ce=????????

Vendor response
The vendor has patched the vulnerability and released a new version - 10.2.0.5934

Disclosure Timeline
09-08-2017 – Initial Discovery
18-08-2017 – Vendor Notification
29-08-2017 – Vendor Patch
05-09-2017 – Public Disclosure

Credit
This vulnerability was discovered by Dmitri Kaslov of Telspace Systems

Monday, September 4, 2017

Telspace Systems Security Advisory (TSA-2017-001)


Telspace Systems Security Advisory


TSA-2017-001: WPS Office Spreadsheet invalid pointer write vulnerability

CVE number
CVE-2017-12914

Summary
A remote vulnerability exists in the .xls parsing functionality of WPS Spreadsheet. A specially crafted .xls file can cause an invalid pointer write vulnerability resulting in potential denial of service. User interaction is required to trigger this vulnerability.

Vendor
Kingsoft

Product
WPS spreadsheet

Versions
10.2.0.5908

Vendor URL
https://www.wps.com

Details and crash information
The affected component is etmain.dll library in this function : etmain!EtCommentRevisionShape::InitCmtRevShape+0xd9c03

(1154.13d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\User-Pc\AppData\Local\Kingsoft\WPS Office\10.2.0.5908\office6\etmain.dll -
eax=00000000 ebx=06142550 ecx=08255c78 edx=00000000 esi=08255c78 edi=00000000
eip=6701cb50 esp=08f7fc14 ebp=08f7fc1c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246

etmain!EtCommentRevisionShape::InitCmtRevShape+0xd9c03:
6701cb50 ff40fc inc dword ptr [eax-4] ds:002b:fffffffc=????????

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at etmain!EtCommentRevisionShape::InitCmtRevShape+0x00000000000d9c03 (Hash=0x88e5e0e0.0x02d402a9)

Vendor response
The vendor has patched the vulnerability and released a new version - 10.2.0.5934

Disclosure Timeline
09-08-2017 – Initial Discovery
18-08-2017 – Vendor Notification
29-08-2017 – Vendor Patch
04-09-2017 – Public Disclosure

Credit
This vulnerability was discovered by Dmitri Kaslov of Telspace Systems