Arbitrary Code Execution Vulnerabilities Affecting WPS Office


WPS Office, a popular office suite with over 500 million active users worldwide, has recently found critical vulnerabilities that allow arbitrary code execution.

These vulnerabilities, identified as CVE-2024-7262 and CVE-2024-7263, were discovered by ESET researchers during an investigation into the activities of APT-C-60, a South Korea-aligned cyberespionage group.

EHA

This guide provides a detailed technical analysis of these vulnerabilities, their exploitation, and mitigation strategies.

The exploit document embeds a picture hiding the malicious hyperlink
The exploit document embeds a picture hiding the malicious hyperlink

Overview of Vulnerabilities

CVE-2024-7262

The first vulnerability, CVE-2024-7262, was discovered during an investigation into APT-C-60 activities. This flaw allows attackers to execute arbitrary code by exploiting the WPS Office plugin component promecefpluginhost.exe.

The vulnerability stems from improper sanitization of file paths and insufficient validation of loaded plugins.

CVE-2024-7263

Following the discovery of CVE-2024-7262, researchers identified another vulnerability, CVE-2024-7263, which similarly allows arbitrary code execution. This vulnerability was found in the same plugin component and was not fully addressed by initial patches.

Exploitation Techniques

Leveraging MHTML Format

The attackers delivered their payloads using the MHTML file format. MHTML is a web page archive format that combines HTML, CSS, and JavaScript, allowing documents to be viewed in browsers.

By embedding a malicious hyperlink within an MHTML file, attackers could trigger the download and execution of a remote file when the document was opened in WPS Spreadsheet.

Custom Protocol Handler Exploitation

WPS Office registers a custom protocol handler ksoqing://, which can be exploited to execute external applications. By crafting a hyperlink with this protocol, attackers can hijack the application’s control flow, leading to the execution of malicious code.

The WPS Spreadsheet application starts wps.exe to handle the custom protocol ksoqing
The WPS Spreadsheet application starts wps.exe to handle the custom protocol ksoqing

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Technical Analysis

Root Cause Analysis of CVE-2024-7262

The vulnerability arises from the way WPS Office handles custom protocol URIs. When a user clicks on a hyperlink with the ksoqing:// scheme, WPS Office executes a command with the provided URL. The lack of proper validation allows attackers to manipulate this process to load arbitrary DLLs.

Overview of the exploit’s control flow.
Overview of the exploit’s control flow.

Exploitation Process

  1. Host a Malicious Library: The attacker hosts a malicious DLL on a web server.
  2. Craft a Hyperlink: A hyperlink is crafted to point to the hosted DLL using the ksoqing:// protocol.
  3. Embed in Document: The hyperlink is embedded in a spreadsheet, then exported as an MHTML file.
  4. Trigger Execution: When the document is opened, the hyperlink downloads and executes the malicious DLL.
Parameter JSCefServicePath is decoded and used as an argument for the QLibrary::load method.
Parameter JSCefServicePath is decoded and used as an argument for the QLibrary::load method.

Bypassing File Extension Restrictions

The attackers cleverly bypassed file extension restrictions by appending a trailing dot to the file path, preventing the Windows API from automatically adding a .dll extension.

img tag insertion in the MHTML file.
img tag insertion in the MHTML file.

Timeline of Events

  • February 29, 2024: The exploit document was uploaded to VirusTotal.
  • March 2024: Kingsoft released a silent patch for CVE-2024-7262.
  • April 30, 2024: The vulnerability was confirmed to be actively exploited.
  • May 2024: Researchers discovered CVE-2024-7263 during patch analysis.
  • August 2024: Both vulnerabilities were publicly disclosed.

Affected Versions

The vulnerabilities affect WPS Office for Windows versions from 12.2.0.13110 (August 2023) to 12.2.0.17119 (May 2024). Users are strongly advised to update to the latest version to mitigate these risks.

The discovery of these vulnerabilities highlights the persistent threats posed by advanced persistent threat (APT) groups like APT-C-60.

The exploitation of WPS Office underscores the importance of timely software updates and comprehensive security practices. Organizations and users should prioritize patching their systems and remain vigilant against similar threats.

A deceptive spreadsheet embedding an image of regular rows and columns
A deceptive spreadsheet embedding an image of regular rows and columns

Root Cause Analysis for CVE-2024-7262

The initial vulnerability, CVE-2024-7262, was addressed by introducing additional checks in the promecefpluginhost.exe and ksojscore.dll components.

These checks were designed to validate the JSCefServicePath variable, ensuring it pointed to legitimate file paths. However, the patch did not adequately cover a similar variable, CefPluginPathU8, leading to the discovery of CVE-2024-7263.

Code checking and discarding passed parameters
Code checking and discarding passed parameters

Logic Flaws in Variable Handling

  1. Case-Sensitive and Case-Insensitive Checks: The patch introduced a case-sensitive check for command line arguments. If a parameter matched the JSCefServicePath variable, it was discarded. However, the subsequent logic used a case-insensitive comparison, allowing attackers to bypass this check by altering the cast of characters in the variable name.
  2. Unchecked Variable: While the JSCefServicePath was verified to ensure it pointed to a Kingsoft-signed library, the CefPluginPathU8 variable was not subjected to the same scrutiny. This oversight allowed attackers to manipulate the library loading process.

Exploitation Path

The vulnerability can be exploited by manipulating the CefPluginPathU8 variable to load an attacker-controlled library.

The process involves:

  • Changing Case in Variable Name: Attackers can bypass the initial check by altering the case of one or more letters in CefPluginPathU8.
  • Network Path Loading: The LoadLibraryExW function allows network paths, enabling attackers to host a malicious library on a network share and point CefPluginPathU8 to it.
  • Appending libcef.dll: The exploit is constrained by the automatic appending of libcef.dll to the file path. However, this can be managed by hosting a library with the appropriate name on a network share.

Exploiting the Vulnerability

The primary method of exploiting CVE-2024-7263 involves leveraging the LoadLibraryExW function to load a library from a network path. This approach is effective because it circumvents local file path restrictions and takes advantage of the unchecked CefPluginPathU8 variable.

Procmon’s stack view showing the loading of our custom library
Procmon’s stack view showing the loading of our custom library

Affected Versions

The vulnerability affects WPS Office for Windows versions from 12.2.0.13110 (released in August 2023) to 12.2.0.17119 (patched in May 2024). Users of these versions are at risk and should update to the latest version immediately.

The discovery of CVE-2024-7263 also highlights the persistent threat posed by groups like APT-C-60, who have shown a keen interest in targeting users in East Asian countries. By leveraging sophisticated techniques, they can transform seemingly innocuous documents into powerful tools for remote code execution.

By understanding the technical details and exploitation methods of these vulnerabilities, security professionals can better protect their systems and prevent similar attacks in the future.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial



Source link