WPS Office HtmTableAlt use-after-free 漏洞报告

admin
admin
admin
101400
文章
87
评论
2022年6月1日09:48:05评论83 views字数 10060阅读33分32秒阅读模式
5月29日-Talos 漏洞报告

CVE 编号

CVE-2021-40399


概括

作为 WPS Office 版本 11.2.0.10351 的一部分,WPS 电子表格 (ET) 中存在一个可利用的释放后使用漏洞。特制的 XLS 文件可能会导致释放后使用情况,从而导致远程代码执行。攻击者需要向受害者提供格式错误的文件才能触发漏洞。


测试版本

WPS 办公室 11.2.0.10351


产品网址

WPS 办公室 - https://www.wps.com/


CVSSv3 分数

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H


CWE

CWE-416 - 免费后使用


细节

WPS Office 以前称为金山 Office 是一套用于提高企业环境和最终用户生产力的工具。它提供了一系列可用于各种目的的工具。例如用于电子表格的 WPS 电子表格、用于文档编辑的 WPS Writer 等等。


以适当形式的 HTML/XML 标记编写的特制 XLS 文件可能导致释放后使用漏洞和远程代码执行。让我们使用调试器在 ET.exe 中运行格式错误的 xls 文件:

(6a4.1674): Access violation - code c0000005 (first/second chance not available)First chance exceptions are reported before any exception handling.This exception may be expected and handled.Time Travel Position: 6E147E:0eax=00000000 ebx=0d4eeeb8 ecx=00000000 edx=00000000 esi=1ccb5dcb edi=5f06dfb8eip=0228282b esp=0d4eedb0 ebp=0d4eee58 iopl=0         nv up ei pl nz na po nccs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=000002020228282b 006200          add     byte ptr [edx],ah          ds:002b:00000000=??

0:011> kb # ChildEBP RetAddr      Args to Child              WARNING: Frame IP not in any known module. Following frames may be wrong.00 0d4eee58 0dd5b0b8     00000000 06dbd130 06dbd170 0x228282b01 0d4eef20 5f0b0a75     1ccb432f 07b5f1a0 00000000 0xdd5b0b802 0d4ef310 5f0afba4     07b6b670 00000000 1ccb45df html2!html2::HtmlParser::parseStream+0x7503 0d4ef5e0 5f2fd0e0     00f6d814 00000001 0d4ef694 html2!html2::HtmlParser::parse+0x2a404 0d4ef8b4 5f2d41ef     00f6d814 06d81ea8 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x42b005 0d4ef8f0 5f2d4bf9     06bdbd40 5f2d5f3f f114ab06 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf06 0d4ef920 75a64f9f     07a63158 45279ebd 75a64f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xac907 0d4ef958 776ffa29     075b0798 776ffa10 0d4ef9c4 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f08 0d4ef968 77847a9e     075b0798 02cb572f 00000000 KERNEL32!BaseThreadInitThunk+0x1909 0d4ef9c4 77847a6e     ffffffff 77868a4e 00000000 ntdll!__RtlUserThreadStart+0x2f0a 0d4ef9d4 00000000     75a64f60 075b0798 00000000 ntdll!_RtlUserThreadStart+0x1b

看起来执行流程已被重定向到不可执行的区域:

0:011> !address 0228282b
Usage:                  <unknown>Base Address:           02270000End Address:            022da000Region Size:            0006a000 ( 424.000 kB)State:                  00001000          MEM_COMMITProtect:                00000004          PAGE_READWRITEType:                   00020000          MEM_PRIVATEAllocation Base:        02270000Allocation Protect:     00000001          PAGE_NOACCESS

让我们检查一下内存内容:0:011> db 02282828 02282828 74 00 61 00 62 00 6c 00-65 00 00 00 74 00 62 00 table…tb 02282838 6f 00 64 00 79 00 06 00 0-74 06 06 00 ody…tfoo 02282848 74 00 00 00 74 00 68 00-65 00 61 00 64 00 00 00 t…thead…02282858 6c 00 6f 00 63 00 6b 00-00 00 00 06…70 00 21 8.0 8 锁74 00 68 00 00 00 00 00-73 00 6b 00 65 00 77 00 th…..skew 02282878 00 00 00 00 67 00 72 00-6f 00 75 00 70 00 00 00 ….group… 0228280 8 6 6 00 6c 00-00 00 00 00 63 00 75 00 椭圆形.....cu 02282898 72 00 76 00 65 00 00 00-72 00 67 00 62 00 28 00 rve...rgb(.0:011> du 022282828 0228"28"


我们可以清楚地看到,程序执行确实在一个不可执行的区域(数据)中结束。当我们退后几步查看代码执行重定向的时刻时,我们会看到以下代码:

0:011> reax=0228bea0 ebx=0228bed0 ecx=0228bed0 edx=013e0000 esi=0dd5bd78 edi=0d4eee58eip=5f06dfb5 esp=0d4eed94 ebp=0d4eedf4 iopl=0         nv up ei pl nz na po nccs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202html2!html2::HtmBoxRefOperator::imitateBoxFlags+0x365:5f06dfae 8b5d08         mov     ebx, dword ptr [ebp+8]5f06dfb1 8bcb           mov     ecx, ebx5f06dfb3 8b03           mov     eax, dword ptr [ebx]  5f06dfb5 ff5034         call    dword ptr [eax+34h]  ds:002b:0228bed4=02282828

看起来像是对其中一个虚函数的典型调用。很有可能该对象之前已被释放,并且 vftable 指针0228bed0已被覆盖。在 上设置写访问断点0228bed0,让我们再次执行我们的软件:

0:011> g-Breakpoint 0 hitTime Travel Position: 6E1064:A7eax=0228bea0 ebx=0228bed0 ecx=00a6e000 edx=0000000b esi=01437c70 edi=06cd5a98eip=6a437c7d esp=0d4eec08 ebp=0d4eec14 iopl=0         nv up ei pl nz na po nccs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202kso!mfxGlobalFree2+0x5d:6a437c7d 8b4704          mov     eax,dword ptr [edi+4] ds:002b:06cd5a9c=000000550:011> kb # ChildEBP RetAddr      Args to Child              WARNING: Stack unwind information not available. Following frames may be wrong.00 0d4eec14 5f06d818     0000000b 00000030 1ccb5c03 kso!mfxGlobalFree2+0x5d01 0d4eec3c 5f0b649f     1ccb5c53 0d4ef078 07ba5174 html2!html2::HtmCreator::createXmlNodesRef+0x4f802 0d4eec6c 5f0c22c0     07ba5174 0d4eef38 0d4eef38 html2!html2::StrIdSet::gainLower+0xbf03 0d4eec90 5f0c8d34     022812e0 07b60f01 5f0c90f0 html2!html2::ParserContext::urlStack+0xac0004 0d4eeca4 5f0c8a47     022812e0 00000000 07b60f01 html2!html2::ParserContext::urlStack+0x1167405 0d4eecd0 5f0c6dfc     022812e0 07b60f01 0d4eef38 html2!html2::ParserContext::urlStack+0x1138706 0d4eecf8 5f0c8a96     00020000 00000001 0d4ef3f4 html2!html2::ParserContext::urlStack+0xf73c07 0d4eed20 5f0c6dfc     022812f0 07b60f01 0d4eef38 html2!html2::ParserContext::urlStack+0x113d608 0d4eed48 5f0c7c40     00084404 00000000 00000000 html2!html2::ParserContext::urlStack+0xf73c09 0d4eed70 5f0c4d7c     022812f0 00000000 00000001 html2!html2::ParserContext::urlStack+0x105800a 0d4eed90 5f0b24da     022812f0 00000000 07ba6ff0 html2!html2::ParserContext::urlStack+0xd6bc0b 0d4eedc8 5f0b32f0     07b6b670 07b15e70 0d4ef668 html2!html2::HtmDocument::topBoxs+0x197a0c 0d4eee00 5f0b2271     1ccb5e07 07b6b670 0d4eef38 html2!html2::HtmDocument::topBoxs+0x27900d 0d4eee38 5f0cb8c5     00000003 0074683c 0d4eef38 html2!html2::HtmDocument::topBoxs+0x17110e 0d4eef20 5f0b0a75     1ccb432f 07b5f1a0 00000000 html2!html2::ParserContext::urlStack+0x142050f 0d4ef310 5f0afba4     07b6b670 00000000 1ccb45df html2!html2::HtmlParser::parseStream+0x7510 0d4ef5e0 5f2fd0e0     00f6d814 00000001 0d4ef694 html2!html2::HtmlParser::parse+0x2a411 0d4ef8b4 5f2d41ef     00f6d814 06d81ea8 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x42b012 0d4ef8f0 5f2d4bf9     06bdbd40 5f2d5f3f f114ab06 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf13 0d4ef920 75a64f9f     07a63158 45279ebd 75a64f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xac914 0d4ef958 776ffa29     075b0798 776ffa10 0d4ef9c4 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f15 0d4ef968 77847a9e     075b0798 02cb572f 00000000 KERNEL32!BaseThreadInitThunk+0x1916 0d4ef9c4 77847a6e     ffffffff 77868a4e 00000000 ntdll!__RtlUserThreadStart+0x2f17 0d4ef9d4 00000000     75a64f60 075b0798 00000000 ntdll!_RtlUserThreadStart+0x1b

我们的假设得到了证实。对我们来说重要的是对象已通过调用kso!mfxGlobalFree2. 如果我们跟踪它的分配:

dx -r1 -g @$cursession.TTD.Calls("kso!mfxGlobalAlloc2").Where( x => x.ReturnValue == `0x0228bed0`)

我们得到了我们的对象代表一个表的附加信息:

.text:5F06CEF0 public: static struct html2::HtmTable * __cdecl html2::HtmCreator::createHtmTableAlt(void) proc near.text:5F06CEF0                 push    30h ; '0'.text:5F06CEF2                 call    mfxGlobalAlloc2.text:5F06CEF7                 mov     dword ptr [eax], offset const html2::HtmTableAltImpl::`vftable'.text:5F06CEFD                 mov     dword ptr [eax+4], 0.text:5F06CF04                 mov     dword ptr [eax+8], 0.text:5F06CF0B                 mov     dword ptr [eax+0Ch], 0.text:5F06CF12                 mov     dword ptr [eax+10h], 0.text:5F06CF19                 mov     dword ptr [eax+14h], 0.text:5F06CF20                 mov     dword ptr [eax+18h], 0.text:5F06CF27                 mov     dword ptr [eax+1Ch], 0.text:5F06CF2E                 mov     dword ptr [eax+20h], 0.text:5F06CF35                 mov     dword ptr [eax+24h], 0.text:5F06CF3C                 mov     dword ptr [eax+28h], 0.text:5F06CF43                 mov     word ptr [eax+2Ch], 0.text:5F06CF49                 retn  
0:011> reax=`0228bed0` ebx=07ba51b4 ecx=0228bed0 edx=00000037 esi=07ba51b4 edi=079b1810eip=5f06cef7 esp=0d4eebf0 ebp=0d4eec68 iopl=0         nv up ei pl nz na pe nccs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206html2!html2::HtmCreator::createHtmTableAlt+0x7:5f06cef7 c700b0be105f    mov     dword ptr [eax],offset html2::HtmTableAltImpl::`vftable' (5f10beb0) ds:002b:0228bed0=0228bf00

适当的堆修饰可以让攻击者完全控制这个释放后使用漏洞,因此可能允许它变成任意代码执行。


崩溃信息

(6a4.1674): Break instruction exception - code 80000003 (first/second chance not available)Time Travel Position: 6E147D:7Deax=0228bea0 ebx=0228bed0 ecx=0228bed0 edx=013e0000 esi=0dd5bd78 edi=0d4eee58eip=5f06dfb5 esp=0d4eed94 ebp=0d4eedf4 iopl=0         nv up ei pl nz na po nccs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202html2!html2::HtmBoxRefOperator::imitateBoxFlags+0x365:5f06dfb5 ff5034          call    dword ptr [eax+34h]  ds:002b:0228bed4=022828280:011> g(6a4.1674): Access violation - code c0000005 (first/second chance not available)First chance exceptions are reported before any exception handling.This exception may be expected and handled.Time Travel Position: 6E147E:0eax=00000000 ebx=0d4eeeb8 ecx=00000000 edx=00000000 esi=1ccb5dcb edi=5f06dfb8eip=0228282b esp=0d4eedb0 ebp=0d4eee58 iopl=0         nv up ei pl nz na po nccs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=000002020228282b 006200          add     byte ptr [edx],ah          ds:002b:00000000=??0:011> kb # ChildEBP RetAddr      Args to Child              WARNING: Frame IP not in any known module. Following frames may be wrong.00 0d4eee58 0dd5b0b8     00000000 06dbd130 06dbd170 0x228282b01 0d4eef20 5f0b0a75     1ccb432f 07b5f1a0 00000000 0xdd5b0b802 0d4ef310 5f0afba4     07b6b670 00000000 1ccb45df html2!html2::HtmlParser::parseStream+0x7503 0d4ef5e0 5f2fd0e0     00f6d814 00000001 0d4ef694 html2!html2::HtmlParser::parse+0x2a404 0d4ef8b4 5f2d41ef     00f6d814 06d81ea8 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x42b005 0d4ef8f0 5f2d4bf9     06bdbd40 5f2d5f3f f114ab06 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf06 0d4ef920 75a64f9f     07a63158 45279ebd 75a64f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xac907 0d4ef958 776ffa29     075b0798 776ffa10 0d4ef9c4 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f08 0d4ef968 77847a9e     075b0798 02cb572f 00000000 KERNEL32!BaseThreadInitThunk+0x1909 0d4ef9c4 77847a6e     ffffffff 77868a4e 00000000 ntdll!__RtlUserThreadStart+0x2f0a 0d4ef9d4 00000000     75a64f60 075b0798 00000000 ntdll!_RtlUserThreadStart+0x1b
0:011> lmDvmetBrowse full module liststart    end        module name00d20000 00e6b000   et         (export symbols)       et.exe    Loaded symbol image file: et.exe    Mapped memory image file: c:UsersicewallAppDataLocalKingsoftWPS Office11.2.0.10351office6et.exe    Image path: c:UsersicewallAppDataLocalKingsoftWPS Office11.2.0.10351office6et.exe    Image name: et.exe    Browse all global symbols  functions  data    Timestamp:        Sat Oct 23 14:16:30 2021 (6173FD1E)    CheckSum:         00153DB1    ImageSize:        0014B000    File version:     11.2.0.10351    Product version:  11.2.0.10351    File flags:       0 (Mask 3F)    File OS:          40004 NT Win32    File type:        0.0 Unknown    File date:        00000000.00000000    Translations:     0000.04b0    Information from resource tables:        CompanyName:      Zhuhai Kingsoft Office Software Co.,Ltd        ProductName:      WPS Office        InternalName:     et        OriginalFilename: et.exe        ProductVersion:   11,2,0,10351        FileVersion:      11,2,0,10351        FileDescription:  WPS Spreadsheets        LegalCopyright:   Copyright©2021 Kingsoft Corporation. All rights reserved.


供应商回应

国际版:https://www.wps.com/office/windows/ 

国内个人版:https://official-package.wpscdn.cn/wps/download/WPS_Setup_11691.exe

企业版:https:// wps-cn-ep.ks3-cn-beijing.ksyun.com/wps/download/ep/WPS2019/WPSPro_11.8.2.11542.exe

如需获取WPS官方对该漏洞的披露,可访问此链接:https://security.wps.cn/notices/28


https://official-package.wpscdn.cn/wps/download/WPS_Setup_11691.exe


时间线

2021-11-18 - 供应商披露

2021-12-15 - 30 天跟进

2022-01-07 - 60 天跟进

2022-01-13 - 根据请求向供应商重新发布建议副本

2022-04-02 - 授予 Talos披露延期

2022-05-02 - 供应商修补

2022-05-09 - 公开发布


发现者

由 Cisco Talos 的 Marcin “Icewall” Noga 发现。

原文始发于微信公众号(Ots安全):WPS Office HtmTableAlt use-after-free 漏洞报告

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年6月1日09:48:05
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   WPS Office HtmTableAlt use-after-free 漏洞报告http://cn-sec.com/archives/1074590.html

发表评论

匿名网友 填写信息