Telspace Systems Security Advisory (TSA-2017-001)

Telspace Systems Security Advisory

TSA-2017-001: WPS Office Spreadsheet invalid pointer write vulnerability

CVE number

CVE-2017-12914

Summary

A remote vulnerability exists in the .xls parsing functionality of WPS Spreadsheet. A specially crafted .xls file can cause an invalid pointer write vulnerability resulting in potential denial of service. User interaction is required to trigger this vulnerability.

Vendor

Kingsoft

Product

WPS spreadsheet

Versions

10.2.0.5908

Vendor URL

https://www.wps.com

Details and crash information

The affected component is etmain.dll library in this function : etmain!EtCommentRevisionShape::InitCmtRevShape+0xd9c03

(1154.13d4): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\User-Pc\AppData\Local\Kingsoft\WPS Office\10.2.0.5908\office6\etmain.dll -

eax=00000000 ebx=06142550 ecx=08255c78 edx=00000000 esi=08255c78 edi=00000000

eip=6701cb50 esp=08f7fc14 ebp=08f7fc1c iopl=0 nv up ei pl zr na pe nc

cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246

etmain!EtCommentRevisionShape::InitCmtRevShape+0xd9c03:

6701cb50 ff40fc inc dword ptr [eax-4] ds:002b:fffffffc=????????

Description: User Mode Write AV

Short Description: WriteAV

Exploitability Classification: EXPLOITABLE

Recommended Bug Title: Exploitable - User Mode Write AV starting at etmain!EtCommentRevisionShape::InitCmtRevShape+0x00000000000d9c03 (Hash=0x88e5e0e0.0x02d402a9)

Vendor response

The vendor has patched the vulnerability and released a new version - 10.2.0.5934

Disclosure Timeline

09-08-2017 – Initial Discovery

18-08-2017 – Vendor Notification

29-08-2017 – Vendor Patch

04-09-2017 – Public Disclosure

Credit

This vulnerability was discovered by Dmitri Kaslov of Telspace Systems