CVE-2023-31275
An uninitialized pointer use vulnerability exists in the functionality of WPS Office 11.2.0.11537 that handles Data elements in an Excel file. A specially crafted malformed file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
WPS Office 11.2.0.11537
WPS Office - https://www.wps.com/
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-457 - Use of Uninitialized Variable
WPS Office, previously known as a Kingsoft Office, is a suite of tools used for productivity in both a corporate environment and by individual users. It offers a range of tools, such as WPS Spreadsheets for spreadsheets, WPS Writer for document editing and so on.
When we run et.exe under the debugger with PageHeap turned on we can observer the following result:
(1ba8.2d30): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 406EFF7:0
eax=00000000 ebx=83eceb4c ecx=c0c0c0c0 edx=0df81164 esi=83ecec98 edi=77cf8fc8
eip=6723b200 esp=83eceab8 ebp=83eceb14 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
kso!WStr::data:
6723b200 8b01 mov eax,dword ptr [ecx] ds:002b:c0c0c0c0=????????
c0c0c0c0 is a typical value set by the page heap manager in freshly allocated heap chunks to simplify detection of uninitialized variable usage. We can find a confirmation of this theory going back few steps to obtain an address from which this value has been read:
0:015> p-
Time Travel Position: 406EFF6:1D
eax=00000000 ebx=83eceb4c ecx=81804ff0 edx=0df81164 esi=83ecec98 edi=77cf8fc8
eip=841d6303 esp=83eceabc ebp=83eceb14 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
ethtmlrw2!html2::Attr::~Attr+0x42243:
841d6303 8b4904 mov ecx,dword ptr [ecx+4] ds:002b:81804ff4=c0c0c0c0
Now, checking write events related to the 81804ff4 address :
================================================================================================================================================
= (+) EventType = (+) ThreadId = (+) UniqueThreadId = (+) TimeStart = (+) TimeEnd = (+) AccessType = (+) IP = (+) Address = (+) Size = (+) Value = (+) OverwrittenValue
=[0xa0] - 0x1 - 0x2d30 - 0x39 - 406E0FE:3A - 406E0FE:3A - Write - 0x77699095 - 0x81804ff4 - 0x4 - 0xc0c0c0c0 - 0x0
and going back to the latest one:
0:015> dx -r1 @$create("Debugger.Models.TTD.Position", 67559678, 58)
@$create("Debugger.Models.TTD.Position", 67559678, 58) : 406E0FE:3A [Time Travel]
Sequence : 0x406e0fe
Steps : 0x3a
SeekTo [Method which seeks to time position]
ToSystemTime [Method which obtains the approximate system time at a given position]
0:015> dx -s @$create("Debugger.Models.TTD.Position", 67559678, 58).SeekTo()
(1ba8.2d30): Break instruction exception - code 80000003 (first/second chance not available)
Time Travel Position: 406E0FE:3A
0:015> r
eax=c0c0c0c0 ebx=00000000 ecx=00000002 edx=00000000 esi=81804ff0 edi=81804ff4
eip=77699095 esp=83ece6ec ebp=83ece728 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
ntdll!memset+0x45:
77699095 f3ab rep stos dword ptr es:[edi]
0:015> kb
# ChildEBP RetAddr Args to Child
00 83ece6ec 6ba2a8de 81804ff0 000000c0 0000000c ntdll!memset+0x45
01 83ece728 776ff29e 049a0000 01000002 0000000c verifier!AVrfDebugPageHeapAllocate+0x26e
02 83ece798 77667170 0000000c 38cbb804 049a0000 ntdll!RtlDebugAllocateHeap+0x39
03 83ece944 77666ecc 0000000c 00000018 00000000 ntdll!RtlpAllocateHeap+0xf0
04 83ece9e0 77665e6e 00000000 00000000 0000000c ntdll!RtlpAllocateHeapInternal+0x104c
05 83ece9fc 76830166 049a0000 00000000 0000000c ntdll!RtlAllocateHeap+0x3e
06 83ecea18 841e4c8c 0000000c 83ecea80 841c3e02 ucrtbase!_malloc_base+0x26
WARNING: Stack unwind information not available. Following frames may be wrong.
07 83ecea24 841c3e02 0000000c e648046e 84263348 ethtmlrw2!html2::AttrPack::Compare+0x9f0c
08 83ecea80 841bf2ab 77cfafe0 e64805f6 6fef4ff0 ethtmlrw2!html2::Attr::~Attr+0x2fd42
09 83eceb18 841c4816 714cef00 84263310 7ce5ffb0 ethtmlrw2!html2::Attr::~Attr+0x2b1eb
0a 83eceb30 841c8f74 714cef00 84263310 84263310 ethtmlrw2!html2::Attr::~Attr+0x30756
0b 83eceb44 84170330 7ce5dfe8 4b14cfe0 7cb50ec0 ethtmlrw2!html2::Attr::~Attr+0x34eb4
0c 83eced20 8416f595 6fef0c00 83eced94 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x30a0
0d 83eced5c 67393f3b 73b12fc8 6fef0c00 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x2305
0e 83eceda4 67372cf8 6fef0c00 43d04398 7bfd1000 kso!vml::LegacyDomShapeAcceptor::Transform+0x4b
0f 83ecedd0 6736cd34 6fef0c00 6fe46ff0 43d04070 kso!vml::TFill::Transform+0x1ea8
10 83ecee38 6723d584 83ecf080 6fef0c00 6fef4ff0 kso!vml::VmlDrawingHandler::AddElementAttr+0x784
11 83ecee4c 8416009b 72c76fe8 00490046 00000001 kso!XmlFxSetGlobalMapperHelper2::BeginSet+0xd4
12 83ecee64 84169634 83ecf0b4 00490046 500d2800 ethtmlrw2!html2::StrId::operator!=+0x397b
13 83ecee88 674ff633 4ca0e800 3245efd8 500d2800 ethtmlrw2!html2::StrId::operator!=+0xcf14
14 83eceecc 6750cc0b 7eb8efd0 00000007 6751b800 kso!curl_easy_reset+0xfe81
15 83ecef60 6750c34f 83ecef8b 43d041d4 83ecf28c kso!curl_easy_reset+0x1d459
16 83ecef9c 6750c4a4 00000000 43d04198 83ecf28c kso!curl_easy_reset+0x1cb9d
17 83ecefd0 674fffdc 83ecf030 43d05e5c 83ecf28c kso!curl_easy_reset+0x1ccf2
18 83ecf014 671f9c82 83ecf030 43d05e14 83ecf28c kso!curl_easy_reset+0x1082a
19 83ecf05c 8416279f 54b5af88 5fea6fe8 ffffffff kso!XSAXParse+0x62
1a 83ecf0fc 8416385d 83ecf058 5fea6fe8 7ab56fd0 ethtmlrw2!html2::StrId::operator!=+0x607f
1b 83ecf190 84163a8c 50518fe0 2a810568 e6481f02 ethtmlrw2!html2::StrId::operator!=+0x713d
1c 83ecf1ec 8416180c 59d3cf0c e6481cc2 78272fc8 ethtmlrw2!html2::StrId::operator!=+0x736c
1d 83ecf22c 841902e0 59d3cee8 00000000 e6481db6 ethtmlrw2!html2::StrId::operator!=+0x50ec
1e 83ecf358 8418fae7 59d3cec8 83ecf444 e6481d2a ethtmlrw2!html2::UrlStack::~UrlStack+0x35c0
1f 83ecf3c4 8418e3a4 59d3cec8 83ecf408 0d8f1bc0 ethtmlrw2!html2::UrlStack::~UrlStack+0x2dc7
20 83ecf494 8417d4ca e64819ba 0029aff0 6e7b0fb8 ethtmlrw2!html2::UrlStack::~UrlStack+0x1684
21 83ecf754 84153f6f 00d3d3e4 7cb50ec0 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x437a
22 83ecf790 841549d9 6e7b0fb8 84155d1f e648192e ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
23 83ecf7c0 76844f9f 6e308c40 fd73b30e 76844f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xb29
24 83ecf7f8 76450099 5013afe8 76450080 83ecf864 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
25 83ecf808 77687b6e 5013afe8 38cba924 00000000 KERNEL32!BaseThreadInitThunk+0x19
26 83ecf864 77687b3e ffffffff 776a8ca2 00000000 ntdll!__RtlUserThreadStart+0x2f
27 83ecf874 00000000 76844f60 5013afe8 00000000 ntdll!_RtlUserThreadStart+0x1b
We can see that the 0xc0c0c0c0 value was set by one of the internal page heap manager functions.
Further investigation revealed that the uninitialized value read is related to the Data element, or, more precisely, its absence in a malformed file. The Data element, according to the documentation, is an obligatory element inside the Caption element, and it turned out that developers following the documentation assumed its existence without proper checks. That assumption lead to the vulnerability described above.
The value of uninitialized Data object pointer in further code is used in both read and write operations, which, in a combination with proper heap grooming, can lead to precise memory corruption and in consequence remote code execution.
(1ba8.2d30): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 406EFF7:0
eax=00000000 ebx=83eceb4c ecx=c0c0c0c0 edx=0df81164 esi=83ecec98 edi=77cf8fc8
eip=6723b200 esp=83eceab8 ebp=83eceb14 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
kso!WStr::data:
6723b200 8b01 mov eax,dword ptr [ecx] ds:002b:c0c0c0c0=????????
0:015> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 83eceb14 841ba621 77cf8fc8 55166f40 e64805b2 kso!WStr::data
01 83eceb5c 84170349 e64803ce 80004005 83eced94 ethtmlrw2!html2::Attr::~Attr+0x26561
02 83eced20 8416f595 6fef0c00 83eced94 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x30b9
03 83eced5c 67393f3b 73b12fc8 6fef0c00 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x2305
04 83eceda4 67372cf8 6fef0c00 43d04398 7bfd1000 kso!vml::LegacyDomShapeAcceptor::Transform+0x4b
05 83ecedd0 6736cd34 6fef0c00 6fe46ff0 43d04070 kso!vml::TFill::Transform+0x1ea8
06 83ecee38 6723d584 83ecf080 6fef0c00 6fef4ff0 kso!vml::VmlDrawingHandler::AddElementAttr+0x784
07 83ecee4c 8416009b 72c76fe8 00490046 00000001 kso!XmlFxSetGlobalMapperHelper2::BeginSet+0xd4
08 83ecee64 84169634 83ecf0b4 00490046 500d2800 ethtmlrw2!html2::StrId::operator!=+0x397b
09 83ecee88 674ff633 4ca0e800 3245efd8 500d2800 ethtmlrw2!html2::StrId::operator!=+0xcf14
0a 83eceecc 6750cc0b 7eb8efd0 00000007 6751b800 kso!curl_easy_reset+0xfe81
0b 83ecef60 6750c34f 83ecef8b 43d041d4 83ecf28c kso!curl_easy_reset+0x1d459
0c 83ecef9c 6750c4a4 00000000 43d04198 83ecf28c kso!curl_easy_reset+0x1cb9d
0d 83ecefd0 674fffdc 83ecf030 43d05e5c 83ecf28c kso!curl_easy_reset+0x1ccf2
0e 83ecf014 671f9c82 83ecf030 43d05e14 83ecf28c kso!curl_easy_reset+0x1082a
0f 83ecf05c 8416279f 54b5af88 5fea6fe8 ffffffff kso!XSAXParse+0x62
10 83ecf0fc 8416385d 83ecf058 5fea6fe8 7ab56fd0 ethtmlrw2!html2::StrId::operator!=+0x607f
11 83ecf190 84163a8c 50518fe0 2a810568 e6481f02 ethtmlrw2!html2::StrId::operator!=+0x713d
12 83ecf1ec 8416180c 59d3cf0c e6481cc2 78272fc8 ethtmlrw2!html2::StrId::operator!=+0x736c
13 83ecf22c 841902e0 59d3cee8 00000000 e6481db6 ethtmlrw2!html2::StrId::operator!=+0x50ec
14 83ecf358 8418fae7 59d3cec8 83ecf444 e6481d2a ethtmlrw2!html2::UrlStack::~UrlStack+0x35c0
15 83ecf3c4 8418e3a4 59d3cec8 83ecf408 0d8f1bc0 ethtmlrw2!html2::UrlStack::~UrlStack+0x2dc7
16 83ecf494 8417d4ca e64819ba 0029aff0 6e7b0fb8 ethtmlrw2!html2::UrlStack::~UrlStack+0x1684
17 83ecf754 84153f6f 00d3d3e4 7cb50ec0 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x437a
18 83ecf790 841549d9 6e7b0fb8 84155d1f e648192e ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
19 83ecf7c0 76844f9f 6e308c40 fd73b30e 76844f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xb29
1a 83ecf7f8 76450099 5013afe8 76450080 83ecf864 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
1b 83ecf808 77687b6e 5013afe8 38cba924 00000000 KERNEL32!BaseThreadInitThunk+0x19
1c 83ecf864 77687b3e ffffffff 776a8ca2 00000000 ntdll!__RtlUserThreadStart+0x2f
1d 83ecf874 00000000 76844f60 5013afe8 00000000 ntdll!_RtlUserThreadStart+0x1b
0:015> lmv et
start end module name
00020000 0016c000 et
Loaded symbol image file: et.exe
Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\et.exe
Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\et.exe
Image name: et.exe
Browse all global symbols functions data
Timestamp: Tue Apr 25 08:42:37 2023 (6447765D)
CheckSum: 0014FD10
ImageSize: 0014C000
File version: 11.2.0.11537
Product version: 11.2.0.11537
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 0.0 Unknown
File date: 00000000.00000000
Translations: 0000.04b0
Information from resource tables:
CompanyName: Zhuhai Kingsoft Office Software Co.,Ltd
ProductName: WPS Office
InternalName: et
OriginalFilename: et.exe
ProductVersion: 11,2,0,11537
FileVersion: 11,2,0,11537
FileDescription: WPS Spreadsheets
LegalCopyright: Copyright©2023 Kingsoft Corporation. All rights reserved.
65ac0000 68a6c000 kso
Loaded symbol image file: kso.dll
Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kso.dll
Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kso.dll
Image name: kso.dll
Browse all global symbols functions data
Timestamp: Tue Apr 25 09:02:21 2023 (64477AFD)
CheckSum: 02F68F73
ImageSize: 02FAC000
File version: 11.2.0.11537
Product version: 11.2.0.11537
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 0.0 Unknown
File date: 00000000.00000000
Translations: 0000.04b0
Information from resource tables:
CompanyName: Zhuhai Kingsoft Office Software Co.,Ltd
ProductName: WPS Office
InternalName: kso
OriginalFilename: kso.dll
ProductVersion: 11,2,0,11537
FileVersion: 11,2,0,11537
FileDescription: WPS Office Module
LegalCopyright: Copyright©2023 Kingsoft Corporation. All rights reserved.
69900000 69e02000 Qt5CoreKso
Loaded symbol image file: Qt5CoreKso.dll
Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5CoreKso.dll
Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5CoreKso.dll
Image name: Qt5CoreKso.dll
Browse all global symbols functions data
Timestamp: Tue Apr 25 06:37:12 2023 (644758F8)
CheckSum: 00503D31
ImageSize: 00502000
File version: 5.12.10.0
Product version: 5.12.10.0
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: The Qt Company Ltd.
ProductName: Qt5
OriginalFilename: Qt5CoreKso.dll
ProductVersion: 5.12.10.0
FileVersion: 5.12.10.0
FileDescription: C++ Application Development Framework
LegalCopyright: Copyright (C) 2020 The Qt Company Ltd.
6ba20000 6ba85000 verifier
Loaded symbol image file: verifier.dll
Mapped memory image file: C:\ProgramData\Dbg\sym\verifier.dll\D131439B65000\verifier.dll
Image path: C:\WINDOWS\SysWOW64\verifier.dll
Image name: verifier.dll
Browse all global symbols functions data
Image was built with /Brepro flag.
Timestamp: D131439B (This is a reproducible build file hash, not a timestamp)
CheckSum: 000613E9
ImageSize: 00065000
File version: 10.0.19041.1
Product version: 10.0.19041.1
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: verifier.dll
OriginalFilename: verifier.dll
ProductVersion: 10.0.19041.1
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
FileDescription: Standard application verifier provider dll
LegalCopyright: © Microsoft Corporation. All rights reserved.
84150000 84274000 ethtmlrw2
Loaded symbol image file: ethtmlrw2.dll
Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ethtmlrw2.dll
Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ethtmlrw2.dll
Image name: ethtmlrw2.dll
Browse all global symbols functions data
Timestamp: Tue Apr 25 09:34:34 2023 (6447828A)
CheckSum: 00130A73
ImageSize: 00124000
File version: 11.2.0.11537
Product version: 11.2.0.11537
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 0.0 Unknown
File date: 00000000.00000000
Translations: 0000.04b0
Information from resource tables:
CompanyName: Zhuhai Kingsoft Office Software Co.,Ltd
ProductName: WPS Office
InternalName: ethtmlrw2
OriginalFilename: ethtmlrw2.dll
ProductVersion: 11,2,0,11537
FileVersion: 11,2,0,11537
FileDescription:
LegalCopyright: Copyright©2023 Kingsoft Corporation. All rights reserved.
2023-05-15 - Vendor Disclosure
2023-07-11 - Follow-up
2023-07-13 - Follow-up reminder of 90-day deadline
2023-08-03 - Follow-up
2023-08-07 - Follow-up
2023-08-28 - Follow-up with suggest release date
2023-11-27 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.