WPS Office Vulnerability Allows Arbitrary Code Execution

APT-C-60, a South Korea-aligned cyberespionage group, exploited a code execution vulnerability (CVE-2024-7262) in WPS Office for Windows to target East Asian countries. 

Upon analyzing the root cause, researchers discovered an alternative way to exploit the faulty code (CVE-2024-7263), which allowed attackers to execute arbitrary code on a vulnerable system, enabling them to compromise sensitive data and gain unauthorized access.

It exploited a zero-day vulnerability in WPS Office to deliver malware to East Asian users and allowed attackers to execute arbitrary code by embedding malicious hyperlinks in MHTML files. Kingsoft, the developer of WPS Office, silently patched the vulnerability but did not publicize the exploitation. 

The exploit document embeds a picture hiding the malicious hyperlink.

ESET researchers discovered and reported the vulnerability to Kingsoft, but the company was slow to respond and did not provide clear information about its actions, and the vulnerability remains a significant threat to WPS Office users. 

APT-C-60 exploited a vulnerability in WPS Office by leveraging the ksoqing protocol handler to execute malicious code. When a user clicked on a specially crafted hyperlink, the WPS Spreadsheet application would launch wps.exe, which, in turn, would load a malicious DLL from a remote location and then execute arbitrary code, allowing the attackers to gain control of the victim’s system. 

The vulnerability was triggered by a specific format of the hyperlink, which included a base64-encoded command line and a token that verified the authenticity of the command.

Overview of the exploit’s control flow

The attackers leveraged the MHTML format in WPS Office to download and store a malicious library on the system. By inserting an img tag with a remote URL in the MHTML file, the library was downloaded to a predictable location under %localappdata%\Temp\wps\INetCache\. 

Then they used a relative path from the WPS Office root directory to load the library, bypassing the .dll extension issue with a trailing dot character, which could be triggered by opening the MHTML file or clicking on a linked image within it, affecting WPS Office versions from 12.2.0.13110 to 12.1.0.16412.

Call stack detail of our library being loaded

The patch introduced to mitigate CVE-2024-7262 in WPS Office contained a flaw that could be exploited to achieve code execution. By manipulating the case of the named variables JSCefServicePath and CefPluginPathU8, attackers could bypass the intended checks and load arbitrary libraries. 

While the patch correctly verified the signature of the library loaded from JSCefServicePath, it neglected to do so for CefPluginPathU8, which allowed attackers to replace the legitimate libcef.dll with a malicious one, potentially leading to remote code execution.

Checking the signature of the library being loaded

We Live Security describes a vulnerability in WPS Office for Windows that allows attackers to execute arbitrary code on a compromised system, which is exploited by tricking users into opening a malicious MHTML file, which then loads a malicious DLL file from a network share. 

The DLL file hijacks the control flow of the vulnerable process and executes malicious code. The affected versions of WPS Office range from 12.2.0.13110 to 12.2.0.17119, as users are strongly advised to update their software to the latest version to mitigate this risk.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here