Arbitrary Code Execution Vulnerabilities Affecting WPS Office – Technical Analysis
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
WPS Office, a popular office suite with over 500 million active users worldwide, has recently found critical vulnerabilities that allow arbitrary code execution.
These vulnerabilities, identified as CVE-2024-7262 and CVE-2024-7263, were discovered by ESET researchers during an investigation into the activities of APT-C-60, a South Korea-aligned cyberespionage group.
This guide provides a detailed technical analysis of these vulnerabilities, their exploitation, and mitigation strategies.
The exploit document embeds a picture hiding the malicious hyperlink
Overview of Vulnerabilities
CVE-2024-7262
The first vulnerability, CVE-2024-7262, was discovered during an investigation into APT-C-60 activities. This flaw allows attackers to execute arbitrary code by exploiting the WPS Office plugin component promecefpluginhost.exe.
The vulnerability stems from improper sanitization of file paths and insufficient validation of loaded plugins.
CVE-2024-7263
Following the discovery of CVE-2024-7262, researchers identified another vulnerability, CVE-2024-7263, which similarly allows arbitrary code execution. This vulnerability was found in the same plugin component and was not fully addressed by initial patches.
Exploitation Techniques
Leveraging MHTML Format
The attackers delivered their payloads using the MHTML file format. MHTML is a web page archive format that combines HTML, CSS, and JavaScript, allowing documents to be viewed in browsers.
Custom Protocol Handler Exploitation
WPS Office registers a custom protocol handler ksoqing://, which can be exploited to execute external applications. By crafting a hyperlink with this protocol, attackers can hijack the application’s control flow, leading to the execution of malicious code.
The WPS Spreadsheet application starts wps.exe to handle the custom protocol ksoqing
Technical Analysis
Root Cause Analysis of CVE-2024-7262
The vulnerability arises from the way WPS Office handles custom protocol URIs. When a user clicks on a hyperlink with the ksoqing:// scheme, WPS Office executes a command with the provided URL. The lack of proper validation allows attackers to manipulate this process to load arbitrary DLLs.
Overview of the exploit’s control flow.
Exploitation Process
Parameter JSCefServicePath is decoded and used as an argument for the QLibrary::load method.
Bypassing File Extension Restrictions
The attackers cleverly bypassed file extension restrictions by appending a trailing dot to the file path, preventing the Windows API from automatically adding a .dll extension.
img tag insertion in the MHTML file.
Timeline of Events
Affected Versions
The vulnerabilities affect WPS Office for Windows versions from 12.2.0.13110 (August 2023) to 12.2.0.17119 (May 2024). Users are strongly advised to update to the latest version to mitigate these risks.
The discovery of these vulnerabilities highlights the persistent threats posed by advanced persistent threat (APT) groups like APT-C-60.
The exploitation of WPS Office underscores the importance of timely software updates and comprehensive security practices. Organizations and users should prioritize patching their systems and remain vigilant against similar threats.
A deceptive spreadsheet embedding an image of regular rows and columns
Root Cause Analysis for CVE-2024-7262
The initial vulnerability, CVE-2024-7262, was addressed by introducing additional checks in the promecefpluginhost.exe and ksojscore.dll components.
These checks were designed to validate the JSCefServicePath variable, ensuring it pointed to legitimate file paths. However, the patch did not adequately cover a similar variable, CefPluginPathU8, leading to the discovery of CVE-2024-7263.
Code checking and discarding passed parameters
Logic Flaws in Variable Handling
Exploitation Path
The vulnerability can be exploited by manipulating the CefPluginPathU8 variable to load an attacker-controlled library.
The process involves:
Exploiting the Vulnerability
The primary method of exploiting CVE-2024-7263 involves leveraging the LoadLibraryExW function to load a library from a network path. This approach is effective because it circumvents local file path restrictions and takes advantage of the unchecked CefPluginPathU8 variable.
Procmon’s stack view showing the loading of our custom library
Affected Versions
The vulnerability affects WPS Office for Windows versions from 12.2.0.13110 (released in August 2023) to 12.2.0.17119 (patched in May 2024). Users of these versions are at risk and should update to the latest version immediately.
The discovery of CVE-2024-7263 also highlights the persistent threat posed by groups like APT-C-60, who have shown a keen interest in targeting users in East Asian countries. By leveraging sophisticated techniques, they can transform seemingly innocuous documents into powerful tools for remote code execution.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
Arbitrary Code Execution Vulnerabilities Affecting WPS Office – Technical Analysis
Author: DhivyaWPS Office, a popular office suite with over 500 million active users worldwide, has recently found critical vulnerabilities that allow arbitrary code execution.
These vulnerabilities, identified as CVE-2024-7262 and CVE-2024-7263, were discovered by ESET researchers during an investigation into the activities of APT-C-60, a South Korea-aligned cyberespionage group.
This guide provides a detailed technical analysis of these vulnerabilities, their exploitation, and mitigation strategies.
The exploit document embeds a picture hiding the malicious hyperlinkOverview of Vulnerabilities
CVE-2024-7262
The first vulnerability, CVE-2024-7262, was discovered during an investigation into APT-C-60 activities. This flaw allows attackers to execute arbitrary code by exploiting the WPS Office plugin component promecefpluginhost.exe.
The vulnerability stems from improper sanitization of file paths and insufficient validation of loaded plugins.
CVE-2024-7263
Following the discovery of CVE-2024-7262, researchers identified another vulnerability, CVE-2024-7263, which similarly allows arbitrary code execution. This vulnerability was found in the same plugin component and was not fully addressed by initial patches.
Exploitation Techniques
Leveraging MHTML Format
The attackers delivered their payloads using the MHTML file format. MHTML is a web page archive format that combines HTML, CSS, and JavaScript, allowing documents to be viewed in browsers.
Custom Protocol Handler Exploitation
WPS Office registers a custom protocol handler ksoqing://, which can be exploited to execute external applications. By crafting a hyperlink with this protocol, attackers can hijack the application’s control flow, leading to the execution of malicious code.
The WPS Spreadsheet application starts wps.exe to handle the custom protocol ksoqingTechnical Analysis
Root Cause Analysis of CVE-2024-7262
The vulnerability arises from the way WPS Office handles custom protocol URIs. When a user clicks on a hyperlink with the ksoqing:// scheme, WPS Office executes a command with the provided URL. The lack of proper validation allows attackers to manipulate this process to load arbitrary DLLs.
Overview of the exploit’s control flow.Exploitation Process
- Host a Malicious Library: The attacker hosts a malicious DLL on a web server.
- Craft a Hyperlink: A hyperlink is crafted to point to the hosted DLL using the ksoqing:// protocol.
- Embed in Document: The hyperlink is embedded in a spreadsheet, then exported as an MHTML file.
- Trigger Execution: When the document is opened, the hyperlink downloads and executes the malicious DLL.
Parameter JSCefServicePath is decoded and used as an argument for the QLibrary::load method.Bypassing File Extension Restrictions
The attackers cleverly bypassed file extension restrictions by appending a trailing dot to the file path, preventing the Windows API from automatically adding a .dll extension.
img tag insertion in the MHTML file.Timeline of Events
- February 29, 2024: The exploit document was uploaded to VirusTotal.
- March 2024: Kingsoft released a silent patch for CVE-2024-7262.
- April 30, 2024: The vulnerability was confirmed to be actively exploited.
- May 2024: Researchers discovered CVE-2024-7263 during patch analysis.
- August 2024: Both vulnerabilities were publicly disclosed.
Affected Versions
The vulnerabilities affect WPS Office for Windows versions from 12.2.0.13110 (August 2023) to 12.2.0.17119 (May 2024). Users are strongly advised to update to the latest version to mitigate these risks.
The discovery of these vulnerabilities highlights the persistent threats posed by advanced persistent threat (APT) groups like APT-C-60.
The exploitation of WPS Office underscores the importance of timely software updates and comprehensive security practices. Organizations and users should prioritize patching their systems and remain vigilant against similar threats.
A deceptive spreadsheet embedding an image of regular rows and columnsRoot Cause Analysis for CVE-2024-7262
The initial vulnerability, CVE-2024-7262, was addressed by introducing additional checks in the promecefpluginhost.exe and ksojscore.dll components.
These checks were designed to validate the JSCefServicePath variable, ensuring it pointed to legitimate file paths. However, the patch did not adequately cover a similar variable, CefPluginPathU8, leading to the discovery of CVE-2024-7263.
Code checking and discarding passed parametersLogic Flaws in Variable Handling
- Case-Sensitive and Case-Insensitive Checks : The patch introduced a case-sensitive check for command line arguments. If a parameter matched the JSCefServicePath variable, it was discarded. However, the subsequent logic used a case-insensitive comparison, allowing attackers to bypass this check by altering the cast of characters in the variable name.
- Unchecked Variable : While the JSCefServicePath was verified to ensure it pointed to a Kingsoft-signed library, the CefPluginPathU8 variable was not subjected to the same scrutiny. This oversight allowed attackers to manipulate the library loading process.
Exploitation Path
The vulnerability can be exploited by manipulating the CefPluginPathU8 variable to load an attacker-controlled library.
The process involves:
- Changing Case in Variable Name : Attackers can bypass the initial check by altering the case of one or more letters in CefPluginPathU8.
- Network Path Loading : The LoadLibraryExW function allows network paths, enabling attackers to host a malicious library on a network share and point CefPluginPathU8 to it.
- Appending libcef.dll : The exploit is constrained by the automatic appending of libcef.dll to the file path. However, this can be managed by hosting a library with the appropriate name on a network share.
Exploiting the Vulnerability
The primary method of exploiting CVE-2024-7263 involves leveraging the LoadLibraryExW function to load a library from a network path. This approach is effective because it circumvents local file path restrictions and takes advantage of the unchecked CefPluginPathU8 variable.
Procmon’s stack view showing the loading of our custom libraryAffected Versions
The vulnerability affects WPS Office for Windows versions from 12.2.0.13110 (released in August 2023) to 12.2.0.17119 (patched in May 2024). Users of these versions are at risk and should update to the latest version immediately.
The discovery of CVE-2024-7263 also highlights the persistent threat posed by groups like APT-C-60, who have shown a keen interest in targeting users in East Asian countries. By leveraging sophisticated techniques, they can transform seemingly innocuous documents into powerful tools for remote code execution.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
