WPS Office堆栈缓冲区溢出漏洞

WPS Office Wpsio.dll Stack Buffer Overflow Vulnerability

PoC: http://www.exploit-db.com/sploits/25140.tgz

1 Summary

CVE number: CVE-2012-4886

Impact: High

Vendor homepage: http://www.wps.cn

Credit: Zhangjiantao of Hangzhou DPtech Technologies

2 Affected Prodects

Affected Version: http://wdl.cache.ijinshan.com/wps/download/special/WPS2012.12012.exe

The WPS office is a free desktop office suite (compatible with Microsoft office),popular in China.

3 Vulnerability Details

In module wpsio.dll, a BSTR string stored in the file is copied to the stack buffer, without strict length inspection, leading to a stack buffer overflow. This sample exploit this issue to cover an object stored in the stack, leading to crash during the virtual function call. Successfully exploited this vulnerability will lead to arbitrary code execution.

4 Crash info

crash info:

(b70.eb8): Access violation – code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=0012c0a4 ebx=770f4b39 ecx=90909090 edx=0012be00 esi=0012c0a4 edi=0018bd54

eip=45e25208 esp=0012bdec ebp=0012bdf8 iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246


45e25208 ff5114 call dword ptr [ecx+14h] ds:0023:909090a4=????????

module info:

start end module name

45e00000 4606f000 wpsio (export symbols) C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll

Loaded symbol image file: C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll

Image path: C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll

Image name: wpsio.dll

Timestamp: Mon May 28 04:10:12 2012 (4FC28A24)

CheckSum: 0026D933

ImageSize: 0026F000

File version:

Product version:

File flags: 0 (Mask 3F)

File OS: 40004 NT Win32

File type: 0.0 Unknown

File date: 00000000.00000000

Translations: 0000.04b0

CompanyName: Zhuhai Kingsoft Office-software Co.,Ltd

ProductName: Kingsoft Office

InternalName: wpsio

OriginalFilename: wpsio.dll

ProductVersion: 8,1,0,3238

FileVersion: 8,1,0,3238

FileDescription: wpsio

LegalCopyright: Copyright©1988-2011 Kingsoft Corporation. All rights reserved.

5 Analysis

In sub_45E2CC84:

.text:45E2CC84 var_210 = byte ptr -210h ;buffer size 0x200

.text:45E2CC84 var_4 = dword ptr -4

.text:45E2CDB3 push [ebp+Src] ; BSTR

.text:45E2CDB9 call esi ; SysStringLen

.text:45E2CDBB mov [ebp+var_244], eax

.text:45E2CDC1 add eax, eax ;size is 0x170

.text:45E2CDC3 push eax ; Size

.text:45E2CDC4 push [ebp+Src] ; Src

.text:45E2CDCA lea eax, [ebp+var_210]

.text:45E2CDD0 push eax ; Dst

.text:45E2CDD1 call memcpy

First time,copy 0x170 bytes to buffer var_210.

.text:45E2CE16 push edi ; BSTR

.text:45E2CE17 mov [ebp+var_234], ax

.text:45E2CE1E call esi ; SysStringLen

.text:45E2CE20 add eax, eax

.text:45E2CE22 push eax ; Size

.text:45E2CE23 movzx eax, [ebp+var_234] ;length

.text:45E2CE2A lea eax, [ebp+eax*2+var_210]

.text:45E2CE31 push edi ; Src

.text:45E2CE32 push eax ; Dst

.text:45E2CE33 call memcpy

Second time,copy the same string, placed after the first string. var_234 is the length of the string. Total copy 0x2e0 bytes.

After copy,return address and SEH record has been overwritten.

0:000> k

ChildEBP RetAddr

WARNING: Stack unwind information not available. Following frames may be wrong.

0012c070 90909090 wpsio!TxExport+0xb3e1

0012c148 45e2a113 0x90909090

0:000> !exchain

0012c064: 90909090

Invalid exception stack at 90909090

The source data of memcpy is from the file poc.wps,offset 0x41d7.

6 Exploit

As described above, using a suitable data overwrite SEH record or return address, eip is controllable.

So,We think this is a security vulnerability.


Hangzhou DPtech Technologies Co., Ltd.