CVE-2022-24934 in WPS Officeinfo

Summary

by MITRE • 03/24/2022

wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 03/25/2022

The vulnerability identified as CVE-2022-24934 resides within the wpsupdater.exe component of Kingsoft WPS Office version 11.2.0.10382 and earlier, presenting a critical remote code execution risk through registry manipulation. This flaw exploits the updater process to modify the HKEY_CURRENT_USER registry hive, which serves as a critical attack surface for privilege escalation and persistent system compromise. The vulnerability demonstrates a significant design flaw in the software's update mechanism, where insufficient validation and access controls allow arbitrary registry modifications that can be leveraged by remote attackers.

The technical implementation of this vulnerability stems from improper input validation within the wpsupdater.exe process, which operates with elevated privileges during the update procedure. When the updater processes registry entries, it fails to properly sanitize or verify the legitimacy of registry modifications, particularly within the HKEY_CURRENT_USER hive that contains user-specific settings and preferences. This allows attackers to craft malicious registry entries that the updater will process without adequate verification, effectively enabling arbitrary code execution through the update mechanism. The flaw aligns with CWE-74 and CWE-798, representing weaknesses in input validation and the use of hard-coded credentials or registry values.

The operational impact of this vulnerability extends beyond simple remote code execution to encompass persistent system compromise and privilege escalation scenarios. An attacker who successfully exploits this vulnerability can establish backdoors, install malware, or modify system configurations without requiring user interaction or explicit authentication. The HKEY_CURRENT_USER registry modification capability provides attackers with a stealthy method of maintaining persistence, as registry entries can be configured to execute malicious payloads during system startup or user login events. This vulnerability particularly affects enterprise environments where WPS Office is widely deployed, creating potential for large-scale compromise through a single vulnerable installation.

Mitigation strategies for CVE-2022-24934 should prioritize immediate software updates to the latest versions of Kingsoft WPS Office, which contain patched registry validation mechanisms. System administrators should implement registry monitoring and access control policies that restrict write permissions to HKEY_CURRENT_USER for non-privileged users. The principle of least privilege should be enforced through group policy configurations that limit registry modification capabilities for the wpsupdater.exe process. Additionally, network segmentation and firewall rules can help limit the attack surface by restricting access to update mechanisms from untrusted networks. This vulnerability maps to several ATT&CK techniques including T1059.001 for command and script interpreter execution and T1547.001 for registry run keys and startup folder, emphasizing the need for comprehensive endpoint protection and registry integrity monitoring solutions.

Reservation

02/10/2022

Disclosure

03/24/2022

Moderation

accepted

CPE

ready

EPSS

0.20470

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!