Kingsoft WPS Office is a widely-used productivity suite that's especially popular in China and among users who want a free alternative to Microsoft Office. However, a recent vulnerability—CVE-2024-11957—has put millions of Windows users at risk. This post will explain, in simple terms, what this vulnerability is, how it works, and show you a sample exploit to understand the risk.
What is CVE-2024-11957?
In versions of WPS Office up to 12.1..18276, a core component called ksojscore.dll fails to properly verify the digital signature of certain loaded files. This means an attacker can trick WPS Office into loading a malicious DLL—a file format that Windows uses to load code into programs—by simply placing it in a predictable location. This is called *arbitrary DLL injection*. This problem comes from *improper signature checking*: WPS Office didn’t strictly check if the loaded DLLs were really signed and approved by Kingsoft.
You might think this would have been fixed with patches. Actually, the patch for a related bug (CVE-2024-7262) in version 12.2..16909 wasn’t strict enough and did not cover all vectors for this attack.
Why Do Digital Signatures Matter?
Digital signatures help programs verify that a piece of code (like a DLL) really comes from a trusted source and hasn’t been tampered with. If signature checks are missing or weak, Windows programs like WPS Office can be tricked into loading malicious code. This can lead to full compromise of the user’s system—especially since office suites often get administrative privileges.
Version Affected: ≤ 12.1..18276
- Attack Vector: Local or remote (e.g., via malicious document + DLL in same folder, or poisoned network share)
- CVE: CVE-2024-11957
References:
- CVE detail page
- Vendor Patch Notes (Chinese)
The root of the issue is that ksojscore.dll loads other DLLs without properly making sure they are really from Kingsoft via digital signature.
How the Exploit Works (Simplified)
Suppose WPS Office looks for a plugin DLL first in the current working directory. An attacker sends you a ZIP file with a nice-looking DOCX and a malicious DLL. If you open the document, WPS Office will load the evil DLL—*without verifying it’s legit!*
Step 1: Create a malicious DLL
Make a DLL with a simple payload for demonstration.
malicious.dll (written in C)
#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
if (fdwReason == DLL_PROCESS_ATTACH) {
MessageBoxA(NULL, "Pwned by CVE-2024-11957!", "Exploit", MB_OK);
}
return TRUE;
}
Compile with
cl /LD malicious.c
Step 3: Victim opens the DOCX
When WPS Office is run in the directory, it loads malicious.dll due to the improper signature check, and the payload runs.
Why The Previous Patch (CVE-2024-7262) Wasn't Enough
The earlier patch only made the DLL loading check *slightly* better, but did not enforce a strict digital signature verification for every loaded external DLL. Thus, attackers could still get WPS Office to load non-Kingsoft, unsigned, or malicious DLLs.
How to Protect Yourself
- Update WPS Office: Make sure you are at least on version 12.2..16909 or later. Check Kingsoft’s official update page.
- Don’t open Office files from unknown sources, especially if they come with extra files in a ZIP or folder.
Final Thoughts
DLL hijacking via improper digital signature verification is a low-effort, high-impact attack. If you’re running an older version of WPS Office, it remains trivially vulnerable to arbitrary code execution through this technique—*even after an initial patch*. Kingsoft’s lack of strict DLL signature enforcement in ksojscore.dll leaves millions at risk until they update.
Stay safe: keep your software up to date and be cautious of document bundles!
## Further Reading / References
- CVE-2024-11957 NVD Entry
- CVE-2024-7262 (Previous Patch, incomplete)
- Kingsoft Official WPS Office Updates
- DLL Hijacking explained
*Written exclusively for this site. Please do not copy without attribution.*
Timeline
Published on: 03/04/2025 16:15:34 UTC
Last modified on: 03/05/2025 08:05:18 UTC