Skip to content

HadiMed/KINGSOFT-WPS-Office-LPE

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
src
 
 
 
 
 
 

JVN Advisory

https://jvn.jp/en/vu/JVNVU90673830/

The following CVE number have been assigned:

KINGSOFT WPS Office LPE

WPS Office is an office suite for Microsoft Windows, macOS, Linux, iOS, Android, and HarmonyOS developed by Zhuhai-based Chinese software developer Kingsoft.

Exploring WPS

One of the nicest features that WPS offers is a cloud service to save your documents , work etc ... , this service by default is set to manual , it's started only if you navigate to WPS cloud into the WPS office panel but the service gets started with the current user privilege (Low priv).

Vulnerability

Looking into the early imports done by wps cloud service once started , it looks like it will first try to import a DLL called CRYPTSP.DLL and other ones from *C:\ProgramData\kingsoft\office6* if they aren't there and by default they aren't , the service will load it from System32 as you can see :



The issue here is that the ACL for that directory is configured as read write to all users, an attacker can plant a malicious DLL there and restart the executable , but it gets started as current priv level (low priv user) , unless we start the executable as service (Since it's installed as one) with something like net start wpscloudsvr which will start the service as NT AUTHORITY .
The issue here seems to be more of an ACL misconfiguration .

Exploit

My exploit is simple , it will copy the crafted DLL ( change Administrator password ) to the target directory restart the service , now an access to administrator account is available , which means I have access to sedebugpriv from there I steal the winlogon token and start cmd as NT AUTHORITY / System .

PoC

125179100-1e63fa00-e1b9-11eb-91f5-aa6bf0378df5.1.1.mp4

About

CVE-2022-25943

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages