Reverse one zero day, get one free!
Romain Dumont
In early 2024, ESET Research found a zero-day vulnerability in WPS Office for Windows (by Kingsoft) being exploited in the wild for espionage purposes by a threat actor we track as APT-C-60. This vulnerability is a one-click remote code execution bug and was assigned CVE-2024-7262. This software suite is mainly used in Asia and boasts half a billion users worldwide, making it a perfect avenue to target computers there.
Our presentation breaks down how we discovered and analyzed weaponized MHTML-formatted spreadsheet documents. The vulnerability stems from a lack of user input sanitization, which leads to a path traversal bug that allows execution of untrusted code. We show how the developers combined their knowledge of both WPS Office and Windows internals to bypass exploitation constraints.
The second part of the talk takes us through the process of patch diffing and how the assessment of mitigations led us to the discovery of a simple logic flaw introduced by the patch. This bug resulted in a similar vulnerability that was assigned CVE-2024-7263.
Finally, we conclude with a few words on the lesser-known custom scheme attack surface and alternative ways to obtain updates for patch diffing.
Speaker Bio:
Romain Dumont is a malware researcher working for ESET. His work involves deep malware analysis and threat hunting with a current focus on the APAC region. He is passionate about reverse engineering and has previously worked on obfuscation, Windows kernel components, vulnerability assessment, game cheats, malware from all kinds of platforms.
