WPS Free Office version 10.2.0.5978 allows local users to gain privileges or cause a denial of service by impersonating all the pipes through the use of an insecurely created named pipe.
9632d24c8cfec8d732dcac81951c9a47=====[ Tempest Security Intelligence - ADV-16/2018 ]===
WPS Free Office 10.2.0.5978 - NULL DACL grants full access
-------------------------------------------------------
Author:
- Filipe Xavier Oliveira: < filipe.xavier () tempest.com.br
=====[ Table of Contents
]=====================================================
* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgements
* References
=====[ Overview
]==============================================================
* System affected : KingSoft WPS Free Office [1]
* Software Version : 10.2.0.5978. Other versions or models may also be
affected.
* Impact : A low privileged user can access and modify the DACL of pipe
with full access allowed. The NULL DACL grants full access to any user
that requests it; normal security checking is not performed with respect
to the object.
=====[ Detailed description
]==================================================
Kingsoft WPS Office Free 10.2.0.5978 allows local users to gain
privileges or cause a denial of service by impersonating all the pipes
through a use of \\.\pipe\WPSCloudSvr\WpsCloudSvr -- an "insecurely
created named pipe." Ensures full access to Everyone users group.
=====[ Timeline of disclosure
]===============================================
29/01/2018 - Vendor was informed of the vulnerability.
01/29/2018 - CVE assigned [2]
02/05/2018 - Tried to contact vendor again.
03/06/2018 - Advisory publication date.
=====[ Thanks & Acknowledgements
]============================================
- Tempest Security Intelligence / Tempest's Pentest Team [3]
=====[ References
]===========================================================
[1] - http://www.kingsoftstore.com/
[2] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6400
[3] - http://www.tempest.com.br
--
Filipe Oliveira
Tempest Security Intelligence