Telspace Systems Security Advisory (TSA-2017-003)

Telspace Systems Security Advisory

TSA-2017-003: WPS Office Spreadsheet out of bounds read vulnerability

CVE number

CVE-2017-12918

Summary

A remote vulnerability exists in the .xls parsing functionality of WPS Spreadsheet. A specially crafted .xls file can cause an out of bounds read vulnerability resulting in potential information leak or code execution. User interaction is required to trigger this vulnerability.

Vendor

Kingsoft

Product

WPS spreadsheet

Versions

10.2.0.5908

Vendor URL

https://www.wps.com

Details and crash information

The affected component causes a crash at a memcpy function:

(1ddc.1fd0): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\User-Pc\AppData\Local\Kingsoft\WPS Office\10.2.0.5908\office6\MSVCR100.dll -

(1ddc.1fd0): Access violation - code c0000005 (!!! second chance !!!)

eax=07862b89 ebx=07b500b4 ecx=000066e3 edx=00000000 esi=07848ffd edi=07b52aa4

eip=6f1d1ed7 esp=047df7ec ebp=047df7f4 iopl=0 nv up ei pl nz na po nc

cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202

MSVCR100!memcpy+0x57:

6f1d1ed7 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

Vendor response

The vendor has patched the vulnerability and released a new version - 10.2.0.5934

Disclosure Timeline

09-08-2017 – Initial Discovery

18-08-2017 – Vendor Notification

29-08-2017 – Vendor Patch

05-09-2017 – Public Disclosure

Credit

This vulnerability was discovered by Dmitri Kaslov of Telspace Systems