COSIG-2016-07

COSIG-2016-07

#####################################################################################

# Application: WPS Office
# Platforms: Windows
# Versions: WPS Office 10
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: February 01, 2016
# COSIG-2016-07

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office suite
for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and
WPS Spreadsheet. The personal basic version is free to use, but a watermark is printed on all printed output after
the 30 day trial ends.

(https://en.wikipedia.org/wiki/WPS_Office)

#####################################################################################

============================
2) Report Timeline
============================

2015-11-24: Francis Provencher of COSIG report the issue to WPS;
2015-12-06: WPS security confirm this issue;
2016-01-01: COSIG ask an update status;
2016-01-07: COSIG ask an update status;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;

#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
User interaction is required to exploit this vulnerability in that the target must open a malicious file.
By providing a malformed .xls file, an attacker can cause an heap memory corruption.
An attacker could leverage this to execute arbitrary code under the context of the WPS Spreadsheet process.

#####################################################################################

===========
4) POC
===========

COSIG-2016-07

#####################################################################################