Monday, September 4, 2017

Telspace Systems Security Advisory (TSA-2017-001)

Telspace Systems Security Advisory

TSA-2017-001: WPS Office Spreadsheet invalid pointer write vulnerability

CVE number

A remote vulnerability exists in the .xls parsing functionality of WPS Spreadsheet. A specially crafted .xls file can cause an invalid pointer write vulnerability resulting in potential denial of service. User interaction is required to trigger this vulnerability.


WPS spreadsheet


Vendor URL

Details and crash information
The affected component is etmain.dll library in this function : etmain!EtCommentRevisionShape::InitCmtRevShape+0xd9c03

(1154.13d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\User-Pc\AppData\Local\Kingsoft\WPS Office\\office6\etmain.dll -
eax=00000000 ebx=06142550 ecx=08255c78 edx=00000000 esi=08255c78 edi=00000000
eip=6701cb50 esp=08f7fc14 ebp=08f7fc1c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246

6701cb50 ff40fc inc dword ptr [eax-4] ds:002b:fffffffc=????????

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at etmain!EtCommentRevisionShape::InitCmtRevShape+0x00000000000d9c03 (Hash=0x88e5e0e0.0x02d402a9)

Vendor response
The vendor has patched the vulnerability and released a new version -

Disclosure Timeline
09-08-2017 – Initial Discovery
18-08-2017 – Vendor Notification
29-08-2017 – Vendor Patch
04-09-2017 – Public Disclosure

This vulnerability was discovered by Dmitri Kaslov of Telspace Systems

No comments: