25.8 C
New York
Monday, September 2, 2024

Evaluation of two arbitrary code execution vulnerabilities affecting WPS Workplace


ESET researchers found a code execution vulnerability in WPS Workplace for Home windows (CVE⁠-⁠2024⁠-⁠7262), because it was being exploited by APT-C-60, a South Korea-aligned cyberespionage group. Upon analyzing the foundation trigger, we subsequently found one other approach to exploit the defective code (CVE-2924-7263). Following a coordinated disclosure course of, each vulnerabilities at the moment are patched – on this blogpost, we offer technical particulars. 

Key factors of the blogpost:

  • APT-C-60 weaponized a code execution vulnerability in WPS Workplace for Home windows (CVE-2024-7262) in an effort to goal East Asian nations.
  • A root trigger evaluation of this vulnerability is offered together with an outline of its weaponization.
  • The examine of the exploit led ESET researchers to the invention of another path to use the vulnerability (CVE-2024-7263).

Overview

Whereas investigating APT-C-60 actions, we discovered an odd spreadsheet doc referencing one of many group’s many downloader parts. Our evaluation led us to the invention of a code execution vulnerability in WPS Workplace for Home windows being exploited within the wild by APT-C-60 to focus on East Asian nations. The ultimate payload is a customized backdoor we internally named SpyGlace, publicly documented by ThreatBook as TaskControler.dll.

In response to the WPS web site, this software program has over 500 million lively customers worldwide, which makes it a superb goal to succeed in a considerable variety of people within the East Asia area. Throughout our coordinated vulnerability disclosure course of, DBAPPSecurity independently revealed an evaluation of the weaponized vulnerability and confirmed that APT-C-60 has exploited the vulnerability to ship malware to customers in China.

The malicious doc (SHA-1: 7509B4C506C01627C1A4C396161D07277F044AC6) comes as an MHTML export of the generally used XLS spreadsheet format. Nevertheless, it incorporates a specifically crafted and hidden hyperlink designed to set off the execution of an arbitrary library if clicked when utilizing the WPS Spreadsheet utility. The moderately unconventional MHTML file format permits a file to be downloaded as quickly because the doc is opened; subsequently, leveraging this system whereas exploiting the vulnerability gives for distant code execution. Determine 1 exhibits how the doc is displayed in WPS Spreadsheet: a picture of rows and columns referencing the Coremail e-mail resolution, used as a decoy. The picture hides the malicious hyperlink. 

Evaluation of two arbitrary code execution vulnerabilities affecting WPS Workplace
Determine 1. The exploit doc embeds an image hiding the malicious hyperlink

Following our coordinated vulnerability disclosure coverage, from the second the weaponized doc was uploaded to VirusTotal to the discharge of this blogpost, the next timeline was noticed:

  • 2024-02-29: The exploit doc for CVE-2024-7262 was uploaded to VirusTotal.
  • 2024-03-??: Kingsoft launched an replace that silently patched the CVE-2024-7672 vulnerability in order that the 2024-02-29 exploit not labored. This was decided retrospectively, by analyzing all accessible WPS Workplace releases between 2024-03 and 2024-04, as Kingsoft was not particularly forthcoming in offering exact particulars of its actions when trying to restore this vulnerability.
  • 2024-04-30: We analyzed the malicious doc from VirusTotal and found it was actively exploiting CVE-2024-7262, which was a zero-day vulnerability on the time of the doc’s preliminary use. We additionally found that Kingsoft’s silent patch addressed just one a part of the defective code, and the remaining flawed code was nonetheless exploitable.
  • 2024-05-25: We contacted Kingsoft to report our findings. Whereas the primary vulnerability was already patched, we requested if they might create a CVE entry and/or a public assertion as that they had for CVE-2022-24934.
  • 2024-05-30: Kingsoft acknowledged the vulnerabilities and informed us they might preserve us up to date.
  • 2024-06-17: We requested for an replace.
  • 2024-06-22: Kingsoft informed us the event crew was nonetheless engaged on it and was aiming to repair this within the coming model.
  • 2024-07-31: Primarily based on later exams, we discovered that CVE-2024-7263 was silently patched. We suggested Kingsoft that we had reserved and have been getting ready CVE-2024-7262 and CVE-2024-7263.
  • 2024-08-11: DBAPPSecurity crew independently revealed its findings.
  • 2024-08-15: CVE-2024-7262 and CVE-2024-7263 have been revealed.
  • 2024-08-16: We requested Kingsoft for one more replace.
  • 2024-08-22: Kingsoft acknowledged it had fastened CVE-2024-7263 by the tip of Could, which contradicts the corporate’s declare on 2024-06-22 that its growth crew “are nonetheless engaged on it”.
  • 2024-08-28: Kingsoft has acknowledged each vulnerabilities and that it has patched each. Nevertheless, it has expressed no real interest in publicizing the in-the-wild exploitation of CVE-2024-7262 so we at the moment are publishing this blogpost to warn Kingsoft’s prospects that they need to urgently replace WPS Workplace attributable to in-the-wild exploitation and third-party disclosure of the CVE-2024-7262 vulnerability and exploit, which enhance the probabilities of additional exploitation.

The CVE-2024-7262 vulnerability stemmed from the dearth of sanitization of an attacker-provided file path and lack of validation of the plugin being loaded. After analyzing its patch, we found one other approach to exploit the vulnerability by leveraging an extra logic bug.

CVE-2024-7262

This part describes the bug exploited by APT-C-60 that enables code execution by way of hijacking the management circulation of the WPS Workplace plugin element promecefpluginhost.exe. We additionally clarify how the vulnerability was triggered and weaponized within the form of a legitimate-looking spreadsheet doc.

Root trigger evaluation

When putting in WPS Workplace for Home windows, the software program suite registers a customized protocol handler known as ksoqing that enables the execution of an exterior utility every time a person clicks on a URL beginning with the URI scheme ksoqing://. Within the Home windows working system, the registration of a customized protocol handler is finished within the registry. On this case, the default worth beneath the important thing HKCRksoqingshellopencommand directs Home windows to execute C:CustomersAppDataLocalKingsoftWPS Workplaceoffice6wps.exe with the argument /qingbangong “%1” the place %1 is changed with the complete URL. For example this, Determine 2 exhibits what occurs when a person clicks on a hyperlink utilizing the customized protocol ksoqing contained in the WPS Spreadsheet utility (et.exe).

Determine 2. The WPS Spreadsheet utility begins wps.exe to deal with the customized protocol ksoqing

Determine 3 gives an outline of the management circulation of the exploit for CVE-2024-7262.

Determine 3. Overview of the exploit’s management circulation

As soon as launched, wps.exe hundreds qingbangong.dll, the element chargeable for parsing and validating sure parameters from the hyperlink. The malicious hyperlink within the exploit file we discovered has the next format ksoqing://sort=ksolaunch&cmd=&token=&launchname=promecefpluginhost.exe. In response to our evaluation and exams, this ends in launching an utility already current on the system (on this case, promecefpluginhost.exe), with the attacker-provided base64-encoded command line.

The token parameter is the MD5 hash of the encoded worth of the cmd parameter concatenated with the string _qingLaunchKey_ adopted by the encoded worth of the launchname parameter. The final one should be an executable situated beneath C:CustomersAppDataLocalKingsoftWPS Workplaceoffice6 and signed with a sound certificates from Kingsoft.

After decoding the cmd parameter, we discovered that the command line /qingbangong -CefParentID=1 -JSCefServicePath= is handed to promecefpluginhost.exe. After some initialization, the library ksojscore.dll is loaded and decodes the JSCefServicePath parameter. The result’s a string handed as a parameter to Qt’s QLibrary::load methodology. This file path is attacker-defined, which implies that an attacker may obtain code execution by loading an arbitrary DLL. Determine 4 illustrates how the attacker-controlled JSCefServicePath parameter is processed by ksojscore.dll.

Determine 4. Parameter JSCefServicePath is decoded (left) and used as an argument for the QLibrary::load methodology (proper)

Basically, it’s attainable to abuse the ksoqing scheme protocol and create a hyperlink that when clicked will load a library from a given distant file path. APT-C-60 weaponized the vulnerability to execute its first-stage trojan downloader element (SHA-1: 08906644B0EF1EE6478C45A6E0DD28533A9EFC29).

Exploiting the vulnerability

In an effort to exploit this vulnerability, an attacker would wish to retailer a malicious library someplace accessible by the focused pc both on the system or on a distant share, and know its file path prematurely. The exploit builders of this vulnerability knew a few methods that helped them obtain this.

Leveraging the MHTML format to obtain distant information

The authors of the exploit selected to leverage a particular function of the supported MHTML file format to have their malicious element downloaded and saved on the system in a predictable approach. This explicit sort of file is an export format supplied by Microsoft Phrase and Excel functions to permit customers to view paperwork of their browser. It’s a multipart archive containing HTML, CSS, and JavaScript information that facilitate the show of the doc. By inserting an img tag inside one of many HTML information, it’s attainable to make the Spreadsheet utility obtain a distant file when the doc is being loaded. As an illustration, Determine 5 exhibits one in all our check information with the img tag and its src aspect pointing to a library saved regionally.

Determine 5. img tag insertion

When opening the spreadsheet doc with the WPS Spreadsheet et.exe utility, the distant library is mechanically downloaded and saved on disk, as noticed utilizing ProcMon proven in Determine 6.

Determine 6. The WPS Spreadsheet utility downloads and shops our library on the system

Discovering a predictable file path

As for the predictable file path drawback, we discovered that the downloaded information are saved beneath %localappdatapercentTempwpsINetCache and the filename is the MD5 hash of the URL encoded in UTF‑16LE. As an illustration, our URL was http://localhost/Dll1.dll for which the MD5 hash is 914CBE6372D5B7C93ADDC4FEB5E964CD. Nevertheless, when making an attempt to set the variable JSCefServicePath to level to such a file path, it will get concatenated to the foundation listing of the WPS Workplace utility situated beneath %localappdatapercentKingsoftWPS Workplaceoffice6. If the file can’t be discovered, promecefpluginhost.exe will attempt to retrieve the library from different paths, as proven in Determine 7.

Determine 7. The file path pointed to by JSCefServicePath is appended to the foundation listing of WPS Workplace

Nevertheless, it’s attainable to make use of a relative path from the foundation listing of the WPS Workplace utility, reminiscent of ……..TempwpsINetCache914cbe6372d5b7c93addc4feb5e964cd.

The file extension drawback

There’s a final impediment to beat. An astute reader would have in all probability seen that the .dll extension will get appended to the filename when the promecefpluginhost.exe course of tries to load the library. As seen in Determine 6, the extension shouldn’t be appended when the downloaded file is created. The authors of the exploit, as soon as once more, used their data of the Home windows API to bypass this restriction. As talked about earlier, the QLibrary::Load methodology is chargeable for loading the library which in flip calls LoadLibraryW. The documentation for the lpLibFileName parameter handed to this perform states that including a trailing dot character (.) prevents the perform from appending the .dll extension. Subsequently, appending this character to the relative path would permit our library to get loaded.

Reproducing the exploit

When placing all of it collectively, in an effort to reproduce the exploit, we adopted these steps:

  • Host a customized library on an online server.
  • Compute the MD5 hash of the URL.
  • Construct the corresponding hyperlink.
  • Create a spreadsheet doc, insert the hyperlink, and export it as an MHTML file.
  • Insert an img tag contained in the exported file to level to the URL.

Determine 8 illustrates how you can construct the hyperlink.

Determine 8. Constructing the hyperlink

After opening the doc, a single click on on the hyperlink triggered the vulnerability and our customized library was loaded as proven in Determine 9 and, in additional element, in Determine 10.

Determine 9. Our customized library will get written to disk and loaded
Determine 10. Name stack element of our library being loaded

When loaded, our customized library writes the PID, the presence of admin privileges, and the file path of the internet hosting course of to a log file. We reproduced the exploit for various variations of WPS Workplace for Home windows as illustrated in Determine 11.

Determine 11. Log file itemizing for weak WPS Workplace variations

Since this can be a one-click vulnerability, the exploit builders embedded an image of the spreadsheet’s rows and columns contained in the spreadsheet in an effort to deceive and persuade the person that the doc is an everyday spreadsheet. The malicious hyperlink was linked to the picture in order that clicking on a cell within the image would set off the exploit, as reproduced in Determine 12.

Determine 12. A misleading spreadsheet embedding a picture of standard rows and columns

One other fascinating reality about this vulnerability is that it can be triggered by way of a single click on within the preview pane in Home windows Explorer, which makes it much more harmful.

Affected variations

The affected variations of WPS Workplace for Home windows vary from 12.2.0.13110, launched round August 2023 till the discharge of the patch in March 2024 with model 12.1.0.16412. The weaponized doc was first uploaded to VirusTotal in February; some malicious parts, given their PE timestamp, have been inbuilt February.

CVE-2024-7263

This part gives an evaluation of the patch for CVE-2024-7262 and the ensuing discovery of one other code execution vulnerability by way of hijacking the management circulation of the identical WPS Workplace plugin element: promecefpluginhost.exe.

Root trigger evaluation

Through the means of determining which variations have been affected by the primary vulnerability, we analyzed the patch that was silently launched in model 12.1.0.16412 (launched round March 2024) to mitigate CVE-2024-7262. Basically, further checks have been put contained in the promecefpluginhost.exe and ksojscore.dll parts to confirm the attacker-controlled variable JSCefServicePath. Nevertheless, an analogous variable was not coated by the patch: CefPluginPathU8.

The primary examine occurs when promecefpluginhost.exe iterates over its totally different command line arguments. If a parameter has the identical identify (case delicate comparability) as one of many aforementioned variables, the parameter is discarded as proven in Determine 13.

Determine 13. Code checking and discarding handed parameters

After that, it retrieves the anticipated file path for JSCefServicePath the place jscefservice.dll is meant to be saved. The true path must be %LOCALAPPDATApercentKingsoftWPS Workplaceoffice6addonskcef, as seen in Determine 14. The identical is finished for CefPluginPathU8 for which the actual path ought to level to %LOCALAPPDATApercentKingsoftWPS Workplaceoffice6addonscef.

Determine 14. Code retrieving the proper library to load

A brand new command line is constructed with the accepted command line parameters, adopted by the retrieved file paths recognized by the named variables. promecefpluginhost.exe then hundreds the library ksojscore.dll and its export CefRenderEntryPoint known as with the rebuilt command line. Each named variables are checked however this time the comparability is case insensitive (see line 2 in Determine 15).

Determine 15. The primary case-insensitive incidence of the variable is taken

Right here lies the primary logic flaw. If not less than one letter of the named variables is modified to its uppercase or lowercase counterpart, the primary (case-sensitive) examine won’t end result within the attacker-specified parameter being rejected, and the command line will appear to be the next (for instance):

-JSCEfServicePath= -JSCefServicePath= (discover the case change within the first variable identify for the primary letter E).

When such a command line is handed to ksojscore.dll, it would solely take the primary incidence of the variable and the attacker-controlled variable is at all times positioned earlier than the legitimate ones.

Nevertheless, earlier than loading the library given by the JSCefServicePath file path, a second examine was launched. The perform krt::ksafe::KProcess::verifyZhuHaiKingsoftCertSigner known as to examine the certificates of the library and guarantee that it’s a library belonging to Kingsoft, as proven in Determine 16. So, an attacker can’t load any arbitrary library.

Determine 16. Checking the signature of the library being loaded

Nevertheless, the CefPluginPathU8 variable shouldn’t be checked appropriately. Right here lies the second flaw. After verifying the JSCefServicePath file path, the library jscefservice.dll is loaded and calls LoadLibraryExW with the file path offered by CefPluginPathU8 concatenated with the string libcef.dll with out checking its signature.

If not less than one letter of the variable CefPluginPathU8 is modified, jscefservice.dll will attempt to load the libcef.dll library saved beneath the attacker-controlled file path given by the variable, as noticed in Determine 17.

Determine 17. The library jscefservice.dll hundreds the library pointed to by the attacker-defined path with out checking its signature

Exploiting the vulnerability

The primary constraint of this vulnerability is the string libcef.dll that’s appended to the file path. As of the writing of this blogpost, we’ve not discovered a approach to obtain a file and select its filename. Nevertheless, on a neighborhood community, internet hosting a library on a share and having the variable CefPluginPathU8 level to it really works as a result of LoadLibraryExW permits community paths to be specified. The screenshot proven in Determine 18 illustrates how the management circulation of promecefpluginhost.exe (model 12.2.0.16909 launched late April 2024) was hijacked utilizing a community path.

Determine 18. Procmon’s stack view displaying the loading of our customized library

Affected variations

The affected variations of WPS Workplace for Home windows vary from 12.2.0.13110, launched round August 2023, till the discharge of the patch on the finish of Could 2024 with model 12.2.0.17119.

Conclusion

As WPS Workplace is a software program suite largely distributed in Asia, APT-C-60 demonstrated simply how a lot it’s decided to compromise targets in East Asian nations. Whether or not the group developed or purchased the exploit for CVE-2024-7262, it positively required some analysis into the internals of the appliance but in addition data of how the Home windows loading course of behaves. The exploit is crafty as it’s misleading sufficient to trick any person into clicking on a legitimate-looking spreadsheet whereas additionally being very efficient and dependable. The selection of the MHTML file format allowed the attackers to show a code execution vulnerability right into a distant one.

Moreover, our discovery of CVE-2024-7263 underlines the significance of a cautious patch verification course of and ensuring the core concern has been addressed in full.

We strongly advise WPS Workplace for Home windows customers to replace their software program to the newest launch.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com
ESET Analysis presents non-public APT intelligence stories and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.

IoCs

A complete record of indicators of compromise (IoCs) could be present in our GitHub repository.

Information

SHA-1

Filename

Detection

Description

7509B4C506C01627C1A4
C396161D07277F044AC6

enter.htm

HTML/Agent.HQ

MHTML-formatted WPS Spreadsheet exploit – CVE‑2024‑7262.

08906644B0EF1EE6478C
45A6E0DD28533A9EFC29

WPS_TEST_DLL.dll

Win32/TrojanDownloader.
Agent.HRP

Downloader element.

Community

IP

Area

Internet hosting supplier

First seen

Particulars

162.222.214[.]48

131.153.206[.]231

rammenale[.]com

PhoenixNAP

2024⁠-⁠03⁠-⁠08

C&C server internet hosting subsequent levels.

MITRE ATT&CK TECHNIQUES

This desk was constructed utilizing model 15 of the MITRE ATT&CK framework.

Tactic

ID

Title

Description

Useful resource Growth

T1583.001

Domains

APT-C-60 acquired a site identify for its C&C server.

T1583.004

Server

APT-C-60 acquired a server for its C&C.

T1608.001

Add Malware

APT-C-60’s subsequent levels have been uploaded to its C&C server.

T1587.004

Exploits

APT-C-60 developed or bought an exploit for CVE-2024-7262.

Execution

T1203

Exploitation for Shopper Execution

APT-C-60 exploited CVE-2024-7262 to realize execution.

T1204.001

Malicious Hyperlink

The exploit utilized by APT-C-60 requires a click on on a hyperlink.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles