Telspace Systems Security Advisory (TSA-2017-002)

Telspace Systems Security Advisory

TSA-2017-002: WPS Office Spreadsheet invalid pointer read vulnerability

CVE number

CVE-2017-12915

Summary

A remote vulnerability exists in the .xls parsing functionality of WPS Spreadsheet. A specially crafted .xls file can cause an invalid pointer read vulnerability resulting in a potential information leak or a denial of service. User interaction is required to trigger this vulnerability.

Vendor

Kingsoft

Product

WPS spreadsheet

Versions

10.2.0.5908

Vendor URL

https://www.wps.com

Details and crash information

The affected component is excelrw.dll library in this function :

excelrw!chart::KETSeriesDataSourceProvider::chartTypeEx

(1e14.560): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\User-Pc\AppData\Local\Kingsoft\WPS Office\10.2.0.5908\office6\excelrw.dll -

eax=0439f78c ebx=9d953784 ecx=9d953784 edx=07f86948 esi=9d953784 edi=06012490

eip=6b8772bd esp=0439f774 ebp=0439f798 iopl=0 nv up ei pl nz na pe nc

cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206

excelrw!chart::KETSeriesDataSourceProvider::chartTypeEx+0x461fd:

6b8772bd 8b7e4a mov edi,dword ptr [esi+4Ah] ds:002b:9d9537ce=????????

Vendor response

The vendor has patched the vulnerability and released a new version - 10.2.0.5934

Disclosure Timeline

09-08-2017 – Initial Discovery

18-08-2017 – Vendor Notification

29-08-2017 – Vendor Patch

05-09-2017 – Public Disclosure

Credit

This vulnerability was discovered by Dmitri Kaslov of Telspace Systems