The Kingsoft WPS Office suite, a popular alternative to Microsoft Office, has been found to be vulnerable to an improper path validation vulnerability. This issue, identified as CVE-2024-7262, affects the promecefpluginhost.exe component in WPS Office versions ranging from 12.2..13110 to 12.2..16412 (exclusive) on Windows. Exploiting this vulnerability allows an attacker to load an arbitrary Windows library, which could lead to remote code execution, privilege escalation, or other compromising actions. This article will provide a brief overview of the vulnerability, a code snippet demonstrating the issue, links to original references, and details on how the exploit has already been weaponized.

Improper Path Validation in promecefpluginhost.exe

The root cause of this vulnerability lies in the improper validation of paths used by the promecefpluginhost.exe component in WPS Office. The affected component loads Windows libraries without verifying their location, which could allow an attacker to load a malicious library from an arbitrary path.

The following code snippet demonstrates the affected component loading a potentially unsafe library

// promecefpluginhost.exe

#include <windows.h>

// ...

int main(){
  HMODULE hLibrary = LoadLibrary(L"arbitrary_library.dll");
  // ...
}

Original References

1. CVE-2024-7262 - Improper Path Validation in Kingsoft WPS Office
2. In-depth analysis of the vulnerability and its impact on WPS Office

Weaponized Exploit

Recently, researchers discovered this vulnerability being used as a single-click exploit within a maliciously crafted spreadsheet document. By embedding their own library into the document and utilizing the improper path validation bug, the attackers can compromise a victim's system after simply opening the document.

Here's an example of how the malicious document could look like

1. Victim receives an email with an attached spreadsheet document claiming to be an invoice or other important information.
2. Upon opening the document, the improper path validation vulnerability in promecefpluginhost.exe is exploited, which causes an arbitrary library to be loaded.
3. The malicious library executes arbitrary code on the victim's machine, leading to further compromise or data exfiltration.

Mitigations

Users of Kingsoft WPS Office are advised to update their software to the latest version (12.2..16412 or later) to address this vulnerability. Additionally, users should be cautious while opening documents from unknown sources and ensure that their security software is up to date.

Conclusion

The improper path validation vulnerability in Kingsoft WPS Office (CVE-2024-7262) could pose a significant risk to affected users, as it allows attackers to load arbitrary Windows libraries and execute code within the compromised system. By staying informed about the latest security research and updating software as promptly as possible, users can protect themselves against this and other potential threats.

Timeline

Published on: 08/15/2024 15:15:22 UTC
Last modified on: 09/05/2024 13:30:33 UTC