WPS Office 11.2.0.11537 处理 Excel 文件导致 RCE

WPS Office 11.2.0.11537 处理 Excel 文件导致 RCE
2023-11-29 10:14:22 Author: Ots安全(查看原文) 阅读量:7 收藏

Ots安全

概括

WPS Office 11.2.0.11537 处理 Excel 文件中数据元素的功能中存在未初始化指针使用漏洞。特制的格式错误的文件可能会导致远程代码执行。攻击者可以提供恶意文件来触发此漏洞。

已确认的易受攻击版本

以下版本已被 Talos 测试或验证为易受攻击，或被供应商确认为易受攻击。WPS 办公软件 11.2.0.11537

产品网址

WPS Office - https://www.wps.com/

CVSSV3 分数

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-457 - 使用未初始化的变量

细节

WPS Office 以前称为 Kingsoft Office，是一套用于企业环境和个人用户提高生产力的工具。它提供了一系列工具，例如用于电子表格的WPS Spreadsheets、用于文档编辑的WPS Writer等等。

当我们在打开 PageHeap 的情况下在调试器下运行 et.exe 时，我们可以观察到以下结果：

(1ba8.2d30): Access violation - code c0000005 (first/second chance not available)First chance exceptions are reported before any exception handling.This exception may be expected and handled.Time Travel Position: 406EFF7:0eax=00000000 ebx=83eceb4c ecx=c0c0c0c0 edx=0df81164 esi=83ecec98 edi=77cf8fc8eip=6723b200 esp=83eceab8 ebp=83eceb14 iopl=0         nv up ei ng nz na pe nccs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286kso!WStr::data:6723b200 8b01            mov     eax,dword ptr [ecx]  ds:002b:c0c0c0c0=????????

c0c0c0c0是页堆管理器在新分配的堆块中设置的典型值，用于简化对未初始化变量使用情况的检测。我们可以通过后退几个步骤来找到该理论的确认，以获得已读取该值的地址：

0:015> p-Time Travel Position: 406EFF6:1Deax=00000000 ebx=83eceb4c ecx=81804ff0 edx=0df81164 esi=83ecec98 edi=77cf8fc8eip=841d6303 esp=83eceabc ebp=83eceb14 iopl=0         nv up ei ng nz na pe nccs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286ethtmlrw2!html2::Attr::~Attr+0x42243:841d6303 8b4904          mov     ecx,dword ptr [ecx+4] ds:002b:81804ff4=c0c0c0c0

现在，检查write与该地址相关的事件81804ff4：

================================================================================================================================================  = (+)     EventType = (+) ThreadId = (+) UniqueThreadId = (+) TimeStart  = (+) TimeEnd    = (+) AccessType = (+) IP        = (+) Address   = (+) Size = (+) Value     = (+) OverwrittenValue  =[0xa0]    - 0x1           - 0x2d30       - 0x39            - 406E0FE:3A     - 406E0FE:3A       - Write     - 0x77699095    - 0x81804ff4        - 0x4      - 0xc0c0c0c0         - 0x0

并回到最新的：

0:015> dx -r1 @$create("Debugger.Models.TTD.Position", 67559678, 58)@$create("Debugger.Models.TTD.Position", 67559678, 58)                 : 406E0FE:3A [Time Travel]    Sequence         : 0x406e0fe    Steps            : 0x3a    SeekTo           [Method which seeks to time position]    ToSystemTime     [Method which obtains the approximate system time at a given position]0:015> dx -s @$create("Debugger.Models.TTD.Position", 67559678, 58).SeekTo()(1ba8.2d30): Break instruction exception - code 80000003 (first/second chance not available)Time Travel Position: 406E0FE:3A0:015> reax=c0c0c0c0 ebx=00000000 ecx=00000002 edx=00000000 esi=81804ff0 edi=81804ff4eip=77699095 esp=83ece6ec ebp=83ece728 iopl=0         nv up ei pl nz na pe nccs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206ntdll!memset+0x45:77699095 f3ab            rep stos dword ptr es:[edi]0:015> kb # ChildEBP RetAddr      Args to Child              00 83ece6ec 6ba2a8de     81804ff0 000000c0 0000000c ntdll!memset+0x4501 83ece728 776ff29e     049a0000 01000002 0000000c verifier!AVrfDebugPageHeapAllocate+0x26e02 83ece798 77667170     0000000c 38cbb804 049a0000 ntdll!RtlDebugAllocateHeap+0x3903 83ece944 77666ecc     0000000c 00000018 00000000 ntdll!RtlpAllocateHeap+0xf004 83ece9e0 77665e6e     00000000 00000000 0000000c ntdll!RtlpAllocateHeapInternal+0x104c05 83ece9fc 76830166     049a0000 00000000 0000000c ntdll!RtlAllocateHeap+0x3e06 83ecea18 841e4c8c     0000000c 83ecea80 841c3e02 ucrtbase!_malloc_base+0x26WARNING: Stack unwind information not available. Following frames may be wrong.07 83ecea24 841c3e02     0000000c e648046e 84263348 ethtmlrw2!html2::AttrPack::Compare+0x9f0c08 83ecea80 841bf2ab     77cfafe0 e64805f6 6fef4ff0 ethtmlrw2!html2::Attr::~Attr+0x2fd4209 83eceb18 841c4816     714cef00 84263310 7ce5ffb0 ethtmlrw2!html2::Attr::~Attr+0x2b1eb0a 83eceb30 841c8f74     714cef00 84263310 84263310 ethtmlrw2!html2::Attr::~Attr+0x307560b 83eceb44 84170330     7ce5dfe8 4b14cfe0 7cb50ec0 ethtmlrw2!html2::Attr::~Attr+0x34eb40c 83eced20 8416f595     6fef0c00 83eced94 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x30a00d 83eced5c 67393f3b     73b12fc8 6fef0c00 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x23050e 83eceda4 67372cf8     6fef0c00 43d04398 7bfd1000 kso!vml::LegacyDomShapeAcceptor::Transform+0x4b0f 83ecedd0 6736cd34     6fef0c00 6fe46ff0 43d04070 kso!vml::TFill::Transform+0x1ea810 83ecee38 6723d584     83ecf080 6fef0c00 6fef4ff0 kso!vml::VmlDrawingHandler::AddElementAttr+0x78411 83ecee4c 8416009b     72c76fe8 00490046 00000001 kso!XmlFxSetGlobalMapperHelper2::BeginSet+0xd412 83ecee64 84169634     83ecf0b4 00490046 500d2800 ethtmlrw2!html2::StrId::operator!=+0x397b13 83ecee88 674ff633     4ca0e800 3245efd8 500d2800 ethtmlrw2!html2::StrId::operator!=+0xcf1414 83eceecc 6750cc0b     7eb8efd0 00000007 6751b800 kso!curl_easy_reset+0xfe8115 83ecef60 6750c34f     83ecef8b 43d041d4 83ecf28c kso!curl_easy_reset+0x1d45916 83ecef9c 6750c4a4     00000000 43d04198 83ecf28c kso!curl_easy_reset+0x1cb9d17 83ecefd0 674fffdc     83ecf030 43d05e5c 83ecf28c kso!curl_easy_reset+0x1ccf218 83ecf014 671f9c82     83ecf030 43d05e14 83ecf28c kso!curl_easy_reset+0x1082a19 83ecf05c 8416279f     54b5af88 5fea6fe8 ffffffff kso!XSAXParse+0x621a 83ecf0fc 8416385d     83ecf058 5fea6fe8 7ab56fd0 ethtmlrw2!html2::StrId::operator!=+0x607f1b 83ecf190 84163a8c     50518fe0 2a810568 e6481f02 ethtmlrw2!html2::StrId::operator!=+0x713d1c 83ecf1ec 8416180c     59d3cf0c e6481cc2 78272fc8 ethtmlrw2!html2::StrId::operator!=+0x736c1d 83ecf22c 841902e0     59d3cee8 00000000 e6481db6 ethtmlrw2!html2::StrId::operator!=+0x50ec1e 83ecf358 8418fae7     59d3cec8 83ecf444 e6481d2a ethtmlrw2!html2::UrlStack::~UrlStack+0x35c01f 83ecf3c4 8418e3a4     59d3cec8 83ecf408 0d8f1bc0 ethtmlrw2!html2::UrlStack::~UrlStack+0x2dc720 83ecf494 8417d4ca     e64819ba 0029aff0 6e7b0fb8 ethtmlrw2!html2::UrlStack::~UrlStack+0x168421 83ecf754 84153f6f     00d3d3e4 7cb50ec0 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x437a22 83ecf790 841549d9     6e7b0fb8 84155d1f e648192e ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf23 83ecf7c0 76844f9f     6e308c40 fd73b30e 76844f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xb2924 83ecf7f8 76450099     5013afe8 76450080 83ecf864 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f25 83ecf808 77687b6e     5013afe8 38cba924 00000000 KERNEL32!BaseThreadInitThunk+0x1926 83ecf864 77687b3e     ffffffff 776a8ca2 00000000 ntdll!__RtlUserThreadStart+0x2f27 83ecf874 00000000     76844f60 5013afe8 00000000 ntdll!_RtlUserThreadStart+0x1b

我们可以看到该0xc0c0c0c0值是由内部页堆管理器函数之一设置的。

进一步的调查显示，读取的未初始化值与该元素有关Data，或者更准确地说，与格式错误的文件中缺少该元素有关。Data根据文档，该元素是Caption元素内的强制元素，事实证明，遵循文档的开发人员在没有进行适当检查的情况下就假设了它的存在。该假设导致了上述漏洞。

进一步代码中未初始化的对象指针的值Data用于读取和写入操作，与适当的堆整理相结合，可能会导致精确的内存损坏，从而导致远程代码执行。

(1ba8.2d30): Access violation - code c0000005 (first/second chance not available)First chance exceptions are reported before any exception handling.This exception may be expected and handled.Time Travel Position: 406EFF7:0eax=00000000 ebx=83eceb4c ecx=c0c0c0c0 edx=0df81164 esi=83ecec98 edi=77cf8fc8eip=6723b200 esp=83eceab8 ebp=83eceb14 iopl=0         nv up ei ng nz na pe nccs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286kso!WStr::data:6723b200 8b01            mov     eax,dword ptr [ecx]  ds:002b:c0c0c0c0=????????  0:015> kb # ChildEBP RetAddr      Args to Child              WARNING: Stack unwind information not available. Following frames may be wrong.00 83eceb14 841ba621     77cf8fc8 55166f40 e64805b2 kso!WStr::data01 83eceb5c 84170349     e64803ce 80004005 83eced94 ethtmlrw2!html2::Attr::~Attr+0x2656102 83eced20 8416f595     6fef0c00 83eced94 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x30b903 83eced5c 67393f3b     73b12fc8 6fef0c00 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x230504 83eceda4 67372cf8     6fef0c00 43d04398 7bfd1000 kso!vml::LegacyDomShapeAcceptor::Transform+0x4b05 83ecedd0 6736cd34     6fef0c00 6fe46ff0 43d04070 kso!vml::TFill::Transform+0x1ea806 83ecee38 6723d584     83ecf080 6fef0c00 6fef4ff0 kso!vml::VmlDrawingHandler::AddElementAttr+0x78407 83ecee4c 8416009b     72c76fe8 00490046 00000001 kso!XmlFxSetGlobalMapperHelper2::BeginSet+0xd408 83ecee64 84169634     83ecf0b4 00490046 500d2800 ethtmlrw2!html2::StrId::operator!=+0x397b09 83ecee88 674ff633     4ca0e800 3245efd8 500d2800 ethtmlrw2!html2::StrId::operator!=+0xcf140a 83eceecc 6750cc0b     7eb8efd0 00000007 6751b800 kso!curl_easy_reset+0xfe810b 83ecef60 6750c34f     83ecef8b 43d041d4 83ecf28c kso!curl_easy_reset+0x1d4590c 83ecef9c 6750c4a4     00000000 43d04198 83ecf28c kso!curl_easy_reset+0x1cb9d0d 83ecefd0 674fffdc     83ecf030 43d05e5c 83ecf28c kso!curl_easy_reset+0x1ccf20e 83ecf014 671f9c82     83ecf030 43d05e14 83ecf28c kso!curl_easy_reset+0x1082a0f 83ecf05c 8416279f     54b5af88 5fea6fe8 ffffffff kso!XSAXParse+0x6210 83ecf0fc 8416385d     83ecf058 5fea6fe8 7ab56fd0 ethtmlrw2!html2::StrId::operator!=+0x607f11 83ecf190 84163a8c     50518fe0 2a810568 e6481f02 ethtmlrw2!html2::StrId::operator!=+0x713d12 83ecf1ec 8416180c     59d3cf0c e6481cc2 78272fc8 ethtmlrw2!html2::StrId::operator!=+0x736c13 83ecf22c 841902e0     59d3cee8 00000000 e6481db6 ethtmlrw2!html2::StrId::operator!=+0x50ec14 83ecf358 8418fae7     59d3cec8 83ecf444 e6481d2a ethtmlrw2!html2::UrlStack::~UrlStack+0x35c015 83ecf3c4 8418e3a4     59d3cec8 83ecf408 0d8f1bc0 ethtmlrw2!html2::UrlStack::~UrlStack+0x2dc716 83ecf494 8417d4ca     e64819ba 0029aff0 6e7b0fb8 ethtmlrw2!html2::UrlStack::~UrlStack+0x168417 83ecf754 84153f6f     00d3d3e4 7cb50ec0 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x437a18 83ecf790 841549d9     6e7b0fb8 84155d1f e648192e ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf19 83ecf7c0 76844f9f     6e308c40 fd73b30e 76844f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xb291a 83ecf7f8 76450099     5013afe8 76450080 83ecf864 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f1b 83ecf808 77687b6e     5013afe8 38cba924 00000000 KERNEL32!BaseThreadInitThunk+0x191c 83ecf864 77687b3e     ffffffff 776a8ca2 00000000 ntdll!__RtlUserThreadStart+0x2f1d 83ecf874 00000000     76844f60 5013afe8 00000000 ntdll!_RtlUserThreadStart+0x1b  0:015> lmv etstart    end        module name00020000 0016c000   et           Loaded symbol image file: et.exe    Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\et.exe    Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\et.exe    Image name: et.exe    Browse all global symbols  functions  data    Timestamp:        Tue Apr 25 08:42:37 2023 (6447765D)    CheckSum:         0014FD10    ImageSize:        0014C000    File version:     11.2.0.11537    Product version:  11.2.0.11537    File flags:       0 (Mask 3F)    File OS:          40004 NT Win32    File type:        0.0 Unknown    File date:        00000000.00000000    Translations:     0000.04b0    Information from resource tables:        CompanyName:      Zhuhai Kingsoft Office Software Co.,Ltd        ProductName:      WPS Office        InternalName:     et        OriginalFilename: et.exe        ProductVersion:   11,2,0,11537        FileVersion:      11,2,0,11537        FileDescription:  WPS Spreadsheets        LegalCopyright:   Copyright©2023 Kingsoft Corporation. All rights reserved.65ac0000 68a6c000   kso          Loaded symbol image file: kso.dll    Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kso.dll    Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kso.dll    Image name: kso.dll    Browse all global symbols  functions  data    Timestamp:        Tue Apr 25 09:02:21 2023 (64477AFD)    CheckSum:         02F68F73    ImageSize:        02FAC000    File version:     11.2.0.11537    Product version:  11.2.0.11537    File flags:       0 (Mask 3F)    File OS:          40004 NT Win32    File type:        0.0 Unknown    File date:        00000000.00000000    Translations:     0000.04b0    Information from resource tables:        CompanyName:      Zhuhai Kingsoft Office Software Co.,Ltd        ProductName:      WPS Office        InternalName:     kso        OriginalFilename: kso.dll        ProductVersion:   11,2,0,11537        FileVersion:      11,2,0,11537        FileDescription:  WPS Office Module        LegalCopyright:   Copyright©2023 Kingsoft Corporation. All rights reserved.69900000 69e02000   Qt5CoreKso     Loaded symbol image file: Qt5CoreKso.dll    Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5CoreKso.dll    Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5CoreKso.dll    Image name: Qt5CoreKso.dll    Browse all global symbols  functions  data    Timestamp:        Tue Apr 25 06:37:12 2023 (644758F8)    CheckSum:         00503D31    ImageSize:        00502000    File version:     5.12.10.0    Product version:  5.12.10.0    File flags:       0 (Mask 3F)    File OS:          4 Unknown Win32    File type:        2.0 Dll    File date:        00000000.00000000    Translations:     0409.04b0    Information from resource tables:        CompanyName:      The Qt Company Ltd.        ProductName:      Qt5        OriginalFilename: Qt5CoreKso.dll        ProductVersion:   5.12.10.0        FileVersion:      5.12.10.0        FileDescription:  C++ Application Development Framework        LegalCopyright:   Copyright (C) 2020 The Qt Company Ltd.6ba20000 6ba85000   verifier     Loaded symbol image file: verifier.dll    Mapped memory image file: C:\ProgramData\Dbg\sym\verifier.dll\D131439B65000\verifier.dll    Image path: C:\WINDOWS\SysWOW64\verifier.dll    Image name: verifier.dll    Browse all global symbols  functions  data    Image was built with /Brepro flag.    Timestamp:        D131439B (This is a reproducible build file hash, not a timestamp)    CheckSum:         000613E9    ImageSize:        00065000    File version:     10.0.19041.1    Product version:  10.0.19041.1    File flags:       0 (Mask 3F)    File OS:          40004 NT Win32    File type:        2.0 Dll    File date:        00000000.00000000    Translations:     0409.04b0    Information from resource tables:        CompanyName:      Microsoft Corporation        ProductName:      Microsoft® Windows® Operating System        InternalName:     verifier.dll        OriginalFilename: verifier.dll        ProductVersion:   10.0.19041.1        FileVersion:      10.0.19041.1 (WinBuild.160101.0800)        FileDescription:  Standard application verifier provider dll        LegalCopyright:   © Microsoft Corporation. All rights reserved.84150000 84274000   ethtmlrw2     Loaded symbol image file: ethtmlrw2.dll    Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ethtmlrw2.dll    Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ethtmlrw2.dll    Image name: ethtmlrw2.dll    Browse all global symbols  functions  data    Timestamp:        Tue Apr 25 09:34:34 2023 (6447828A)    CheckSum:         00130A73    ImageSize:        00124000    File version:     11.2.0.11537    Product version:  11.2.0.11537    File flags:       0 (Mask 3F)    File OS:          40004 NT Win32    File type:        0.0 Unknown    File date:        00000000.00000000    Translations:     0000.04b0    Information from resource tables:        CompanyName:      Zhuhai Kingsoft Office Software Co.,Ltd        ProductName:      WPS Office        InternalName:     ethtmlrw2        OriginalFilename: ethtmlrw2.dll        ProductVersion:   11,2,0,11537        FileVersion:      11,2,0,11537        FileDescription:          LegalCopyright:   Copyright©2023 Kingsoft Corporation. All rights reserved.

时间线

2023-05-15 - 供应商披露

2023-07-11 - 后续

2023-07-13 - 90 天截止日期的后续提醒

2023-08-03 - 后续

2023-08-07 - 后续

2023-08-28 - 后续建议发布日期

2023-11-27 - 公开发布

感谢您抽出

来阅读本文

点它，分享点赞在看都在这里

文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjYyMzkwOA==&mid=2247503111&idx=1&sn=88eab96d4dab30916089feaa22df5607&chksm=9bad844cacda0d5a7b9f6cc2804c621f4f55ba1d7d1c8a230a6556478879680d92c35f2b3526&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh