Monday, September 11, 2017

Telspace Systems Security Advisory (TSA-2017-003)

Telspace Systems Security Advisory

TSA-2017-003: WPS Office Spreadsheet out of bounds read vulnerability

CVE number

A remote vulnerability exists in the .xls parsing functionality of WPS Spreadsheet. A specially crafted .xls file can cause an out of bounds read vulnerability resulting in potential information leak or code execution. User interaction is required to trigger this vulnerability.


WPS spreadsheet


Vendor URL

Details and crash information
The affected component causes a crash at a memcpy function:

(1ddc.1fd0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\User-Pc\AppData\Local\Kingsoft\WPS Office\\office6\MSVCR100.dll -
(1ddc.1fd0): Access violation - code c0000005 (!!! second chance !!!)
eax=07862b89 ebx=07b500b4 ecx=000066e3 edx=00000000 esi=07848ffd edi=07b52aa4
eip=6f1d1ed7 esp=047df7ec ebp=047df7f4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202

6f1d1ed7 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

Vendor response
The vendor has patched the vulnerability and released a new version -

Disclosure Timeline
09-08-2017 – Initial Discovery
18-08-2017 – Vendor Notification
29-08-2017 – Vendor Patch
05-09-2017 – Public Disclosure

This vulnerability was discovered by Dmitri Kaslov of Telspace Systems

No comments: