Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2022-25943 PoC — WPS 安全漏洞

Source
https://github.com/HadiMed/KINGSOFT-WPS-Office-LPE
Associated Vulnerability
Title:WPS 安全漏洞 (CVE-2022-25943)
Description:The installer of WPS Office for Windows versions prior to v11.2.0.10258 fails to configure properly the ACL for the directory where the service program is installed.
Description
CVE-2022-25943
Readme
## JVN Advisory 
https://jvn.jp/en/vu/JVNVU90673830/
## The following CVE number have been assigned:
  - <a href="https://www.cve.org/CVERecord?id=CVE-2022-25943">CVE-2022-25943</a>
# KINGSOFT WPS Office LPE
***WPS Office*** is an office suite for Microsoft Windows, macOS, Linux, iOS, Android, and HarmonyOS developed by Zhuhai-based Chinese software developer Kingsoft.
## Exploring WPS 
One of the nicest features that WPS offers is a cloud service to save your documents , work etc ... , this service by default is set to manual , it's started only if you navigate to WPS cloud into the WPS office panel but the service gets started with the current user privilege (Low priv). 
## Vulnerability 
Looking into the early imports done by wps cloud service once started , it looks like it will first try to import a DLL called  **CRYPTSP.DLL** and other ones from ***C:\ProgramData\kingsoft\office6\*** if they aren't there and by default they aren't , the service will load it from System32 as you can see : <br/><br/>
<img src="/assets/process_monitor.PNG"/><br/><br/>
The issue here is that the ACL for that directory is configured as read write to all users, an attacker can plant a malicious DLL there and restart the executable , but it gets started as current priv level (low priv user) , unless we start the executable as service (Since it's installed as one) with something like **net start wpscloudsvr** which will start the service as **NT AUTHORITY** . <br/>
The issue here seems to be more of an ***ACL misconfiguration*** .
## Exploit
My exploit is simple , it will copy the crafted DLL (  change Administrator password ) to the target directory restart the service , now an access to administrator account is available , which means I have access to sedebugpriv from there I steal the winlogon token and start cmd as **NT AUTHORITY / System** . <br/>
## PoC 





https://user-images.githubusercontent.com/57273771/152659158-7f3a5607-40d9-41b6-85c5-7ed3ca83d0e5.mp4
File Snapshot

 [4.0K]  /data/pocs/f6fef30b1e8346452f1578a543579787b3779ee9
├── [4.0K]  assets
│   ├── [ 99K]  process_monitor.PNG
│   └── [   1]  readme
├── [4.0K]  bo3o
│   ├── [ 82K]  CRYPTSP.dll
│   ├── [112K]  NT_sys.exe
│   └── [129K]  wpscloudsvc priv escalation.exe
├── [1.0K]  LICENSE
├── [1.9K]  README.md
└── [4.0K]  src
    ├── [ 764]  dll.cpp
    ├── [2.7K]  exploit.cpp
    └── [4.4K]  nt-sys.cpp

3 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →