Monday, September 18, 2017

Telspace Systems Security Advisory (TSA-2017-004)

Telspace Systems Security Advisory

TSA-2017-004: WPS Office Writer out of bounds read vulnerability

CVE number
CVE-2017-12916

Summary
A remote vulnerability exists in the .doc parsing functionality of WPS Writer. A specially crafted .doc file can cause an out of bounds read vulnerability resulting in potential information leak or denial of service. User interaction is required to trigger this vulnerability.

Vendor
Kingsoft

Product
WPS Writer

Versions
10.2.0.5908

Vendor URL
https://www.wps.com

Details and crash information
The affected component is docreader.dll which causes a crash at a dr_CreateSource function:

(7f8.1c0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=0a9fab15 edx=0bcc03f0 esi=0aa26ad8 edi=019fab15
eip=6bb76604 esp=0019ea24 ebp=0019ea6c iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010287
docreader!dr_CreateSource3Ex+0x1cff:
6bb76604 0fb607          movzx   eax,byte ptr [edi]         ds:002b:019fab15=??

Vendor response
The vendor has patched the vulnerability and released a new version 10.2.0.5934

Disclosure Timeline
09-08-2017 – Initial Discovery
18-08-2017 – Vendor Notification
29-08-2017 – Vendor Patch
xx-09-2017 – Public Disclosure

Credit
This vulnerability was discovered by Dmitri Kaslov of Telspace Systems

No comments: