=============================================================================================================== KingSoft Office Suite 2010 | Insecure DLL Hijacking Vulnerability (plgpf.dll) =============================================================================================================== 1. OVERVIEW KingSoft Office 2010 Suite application is vulnerable to Insecure DLL Hijacking Vulnerability. Similar terms that describe this vulnerability have been come up with Remote Binary Planting, and Insecure DLL Loading/Injection/Hijacking/Preloading. 2. PRODUCT DESCRIPTION Kingsoft Office offers robust set of features that you needed to create professional documents. It contains three essential office applications: Kingsoft Writer, Kingsoft Presentation, and Kingsoft Spreadsheets with familiarity of interface and ease-to-use functions. No re-learning process is required. With its strong compatibility with variety of file formats, Kingsoft Office 2010 is the best alternative to Microsoft Office. 3. VULNERABILITY DESCRIPTION Kingsoft Office Suite applications pass an insufficiently qualified path in loading their external libraries when a user opens its associated file with extensions. KingSoft Office Writer - affected dll: plgpf.dll - affected extention: doc, rtf KingSoft Office Presentation - affected dll: plgpf.dll - affected extention: ppt KingSoft Office Spreadsheets - affected dll: plgpf.dll - affected extention: xls 4. VERSIONS AFFECTED 2010 and probably lower versions 5. PROOF-OF-CONCEPT/EXPLOIT http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/kingsoft-office-2010/poc/movie/kingsoft-office-2010_dll-hijacking.mp4 http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/kingsoft-office-2010/poc/kingsoft-office-2010_dll-hijacking-poc.zip Tested Platform: Windows XP Service Pack 3 (Fresh Windows) 6. IMPACT Attackers can trigger a successful exploit against a victim user in a number of ways such as placing a malicious external library file made as hidden attribute and a seemingly interesting file in network shares, usb drives, file sharing networks, social networks, ..etc 7. SOLUTION Fixed version from the vendor has not been released yet. However, it is suggested that the following workarounds be deployed by users to protect increasing mass exploitation of this vulnerability class: - Disable loading of libraries from WebDAV and remote network shares - Disable the WebClient service Please see workaround solution links in References section. 8. VENDOR Kingsoft Corp. http://www.kingsoftresearch.com/kso.php 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 09-11-2010: notified vendor 09-13-2010: vulnerability disclosed 11. REFERENCES Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/[kingsoft_office]_2010_insecure_dll_hijacking KingSoft Wiki: https://secure.wikimedia.org/wikipedia/en/wiki/Kingsoft_Office Workaround Solution: http://support.microsoft.com/kb/2264107 Workaround Solution: https://www.microsoft.com/technet/security/advisory/2269637.mspx#EGF Developer Solution: http://msdn.microsoft.com/en-us/library/ff919712%28v=VS.85%29.aspx Unofficial DLL Hijacking List: http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/ Testing for DLL Hijacking: http://core.yehg.net/lab/pr0js/view.php/when_testing_for_dll_hijacking.txt #yehg [09-13-2010]