Tenda AX1803 v1.0.0.1 contains a stack overflow via the devName parameter in the function formSetDeviceName.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-49047: IOT_VULN/Tenda/AX1803/formSetDeviceName.md at main · Anza2001/IOT_VULN

The WPB Show Core WordPress plugin through 2.2 is vulnerable to a local file inclusion via the `path` parameter.

CVE-2023-4922

An authentication bypass exists in Arcserve UDP prior to version 9.2. An unauthenticated, remote attacker can obtain a valid authentication identifier that allows them to authenticate to the management console and perform tasks that require authentication.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

**Tenable Advisory ID:** TRA-2023-37

**Affected Products:**  
Arcserve UDP prior to 9.2

**Risk Factor:**  
Critical

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

100 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

100 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

100 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

**Try Tenable Nessus Professional Free**

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

**NEW - Tenable Nessus Expert  
Now Available**

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. **Click here to Try Nessus Expert.**

Fill out the form below to continue with a Nessus Pro Trial.

**Buy Tenable Nessus Professional**

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

**Try Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

**Buy Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable Lumin**

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable Security Center**

_Formerly Tenable.sc_

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable OT Security**

_Formerly Tenable.ot_

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable Identity Exposure**

_Formerly Tenable.ad_

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Request a Demo of Tenable Cloud Security**

_**Exceptional unified cloud security awaits you!**_

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable Attack Surface Management In Action**

_Formerly Tenable.asm_

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.

**Try Tenable Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Tenable Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Learn How Tenable Helps Achieve SLCGP Cybersecurity Plan Requirements**

Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.

CVE-2023-41999: Arcserve Unified Data Protection Multiple Vulnerabilities

[PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2023-36

CVSSv3 Base / Temporal Score

CVSSv3 Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Control iD iDSecure v4.7.32.0

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

100 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable Nessus Professional Free**

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

**NEW - Tenable Nessus Expert  
Now Available**

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. **Click here to Try Nessus Expert.**

Fill out the form below to continue with a Nessus Pro Trial.

**Buy Tenable Nessus Professional**

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

100 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

**Buy Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable Lumin**

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable Security Center**

_Formerly Tenable.sc_

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable OT Security**

_Formerly Tenable.ot_

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable Identity Exposure**

_Formerly Tenable.ad_

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Request a Demo of Tenable Cloud Security**

_**Exceptional unified cloud security awaits you!**_

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable Attack Surface Management In Action**

_Formerly Tenable.asm_

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.

**Try Tenable Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Tenable Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Learn How Tenable Helps Achieve SLCGP Cybersecurity Plan Requirements**

Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.

CVE-2023-6329: Control iD iDSecure passwordCustom Authentication Bypass

The kk Star Ratings WordPress plugin before 5.4.6 does not implement atomic operations, allowing one user vote multiple times on a poll due to a Race Condition.

CVE-2023-4642

Cross Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and before allows a remote attacker to execute arbitrary code via the nama parameter in the lock/lock.php file.

**absis**

Sistem Akademik KTSP/K13

Versi 0.000001 (yang mudeng cuman developernya aja)

Masih Versi Alpha, banyak bug sana-sini dan kode yang tidak rapi. Next Version -> Sudah menggunakan framework laravel

Step:

1.  Upload data backend di server php anda.
2.  Ada 2 database yg harus anda gunakan, yaitu master dan \[tiap tahun ajaran\] (https://github.com/smpn1smg/absis/smpn1smg\_2015.sql). Yang kami berikan berupa data dummy, agar bisa digunakan. Di github.com/smpn1smg/absis.
3.  Setting agar sistem ada di root (misal langsung di http://localhost/ bukan di http://localhost/absis/
4.  Setting username dan password MySQL di controller/config/config.php dan model/class/master.php

Login demo: demo.absis.co.id username: demo pass: demo

Daftar Fitur (baik yg sudah dan yg akan):

**Lisensi**

  
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Hal ini berarti:

*   **Share**: Anda bebas untuk menggunakan dan mendistribusikan materi-materi ini pada media dan bentuk apapun.
*   **Adapt**: Anda bebas untuk memodifikasi materi-materi ini pada penggunaannya.

Dengan ketentuan sebagai berikut:

*   **Attribution**: Apabila Anda menggunakan materi-materi ini, Anda harus memberikan _credit_ kepada **SMPN 1 Semarang**.
*   **NonCommercial**: Anda tidak boleh menggunakan materi-materi ini untuk keperluan komersial.
*   **ShareAlike**: Apabila Anda memodifikasi materi-materi ini, Anda harus mendistribusikannya kembali dengan lisensi yang sama. Hal ini dapat dilakukan dengan cara melakukan _fork_ repositori ini dan melakukan _commit_ modifikasi-modifikasi yang Anda lakukan di sana.

Untuk penjelasan lebih lanjut mengenai lisensi ini, silakan membuka tautan lisensi di atas.

CVE-2023-49029: GitHub - smpn1smg/absis: Sistem Akademik K13/KTSP Berbasis Web

Buffer Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the wpapsk_crypto parameter in the function fromSetWirelessRepeat.

CVE-2023-49043: IOT_VULN/Tenda/AX1803/fromSetWirelessRepeat.md at main · Anza2001/IOT_VULN

Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the devName parameter in the function formAddMacfilterRule.

CVE-2023-49046: IOT_VULN/Tenda/AX1803/formAddMacfilterRule.md at main · Anza2001/IOT_VULN

A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.15356 handles 3D annotations. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

CVE-2023-32616: TALOS-2023-1837 || Cisco Talos Intelligence Group

An uninitialized pointer use vulnerability exists in the functionality of WPS Office 11.2.0.11537 that handles Data elements in an Excel file. A specially crafted malformed file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

An uninitialized pointer use vulnerability exists in the functionality of WPS Office 11.2.0.11537 that handles Data elements in an Excel file. A specially crafted malformed file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WPS Office 11.2.0.11537

**PRODUCT URLS**

WPS Office - https://www.wps.com/

**CVSSv3 SCORE**

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-457 - Use of Uninitialized Variable

**DETAILS**

WPS Office, previously known as a Kingsoft Office, is a suite of tools used for productivity in both a corporate environment and by individual users. It offers a range of tools, such as WPS Spreadsheets for spreadsheets, WPS Writer for document editing and so on.

When we run et.exe under the debugger with PageHeap turned on we can observer the following result:

    (1ba8.2d30): Access violation - code c0000005 (first/second chance not available)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    Time Travel Position: 406EFF7:0
    eax=00000000 ebx=83eceb4c ecx=c0c0c0c0 edx=0df81164 esi=83ecec98 edi=77cf8fc8
    eip=6723b200 esp=83eceab8 ebp=83eceb14 iopl=0         nv up ei ng nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
    kso!WStr::data:
    6723b200 8b01            mov     eax,dword ptr [ecx]  ds:002b:c0c0c0c0=????????
    

c0c0c0c0 is a typical value set by the page heap manager in freshly allocated heap chunks to simplify detection of uninitialized variable usage. We can find a confirmation of this theory going back few steps to obtain an address from which this value has been read:

    0:015> p-
    Time Travel Position: 406EFF6:1D
    eax=00000000 ebx=83eceb4c ecx=81804ff0 edx=0df81164 esi=83ecec98 edi=77cf8fc8
    eip=841d6303 esp=83eceabc ebp=83eceb14 iopl=0         nv up ei ng nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
    ethtmlrw2!html2::Attr::~Attr+0x42243:
    841d6303 8b4904          mov     ecx,dword ptr [ecx+4] ds:002b:81804ff4=c0c0c0c0
    

Now, checking write events related to the 81804ff4 address :

    ================================================================================================================================================
      = (+)     EventType = (+) ThreadId = (+) UniqueThreadId = (+) TimeStart  = (+) TimeEnd    = (+) AccessType = (+) IP        = (+) Address   = (+) Size = (+) Value     = (+) OverwrittenValue 
     =[0xa0]    - 0x1           - 0x2d30       - 0x39            - 406E0FE:3A     - 406E0FE:3A       - Write     - 0x77699095    - 0x81804ff4        - 0x4      - 0xc0c0c0c0         - 0x0   
    

and going back to the latest one:

    0:015> dx -r1 @$create("Debugger.Models.TTD.Position", 67559678, 58)
    @$create("Debugger.Models.TTD.Position", 67559678, 58)                 : 406E0FE:3A [Time Travel]
        Sequence         : 0x406e0fe
        Steps            : 0x3a
        SeekTo           [Method which seeks to time position]
        ToSystemTime     [Method which obtains the approximate system time at a given position]
    0:015> dx -s @$create("Debugger.Models.TTD.Position", 67559678, 58).SeekTo()
    (1ba8.2d30): Break instruction exception - code 80000003 (first/second chance not available)
    Time Travel Position: 406E0FE:3A
    0:015> r
    eax=c0c0c0c0 ebx=00000000 ecx=00000002 edx=00000000 esi=81804ff0 edi=81804ff4
    eip=77699095 esp=83ece6ec ebp=83ece728 iopl=0         nv up ei pl nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
    ntdll!memset+0x45:
    77699095 f3ab            rep stos dword ptr es:[edi]
    0:015> kb
     # ChildEBP RetAddr      Args to Child              
    00 83ece6ec 6ba2a8de     81804ff0 000000c0 0000000c ntdll!memset+0x45
    01 83ece728 776ff29e     049a0000 01000002 0000000c verifier!AVrfDebugPageHeapAllocate+0x26e
    02 83ece798 77667170     0000000c 38cbb804 049a0000 ntdll!RtlDebugAllocateHeap+0x39
    03 83ece944 77666ecc     0000000c 00000018 00000000 ntdll!RtlpAllocateHeap+0xf0
    04 83ece9e0 77665e6e     00000000 00000000 0000000c ntdll!RtlpAllocateHeapInternal+0x104c
    05 83ece9fc 76830166     049a0000 00000000 0000000c ntdll!RtlAllocateHeap+0x3e
    06 83ecea18 841e4c8c     0000000c 83ecea80 841c3e02 ucrtbase!_malloc_base+0x26
    WARNING: Stack unwind information not available. Following frames may be wrong.
    07 83ecea24 841c3e02     0000000c e648046e 84263348 ethtmlrw2!html2::AttrPack::Compare+0x9f0c
    08 83ecea80 841bf2ab     77cfafe0 e64805f6 6fef4ff0 ethtmlrw2!html2::Attr::~Attr+0x2fd42
    09 83eceb18 841c4816     714cef00 84263310 7ce5ffb0 ethtmlrw2!html2::Attr::~Attr+0x2b1eb
    0a 83eceb30 841c8f74     714cef00 84263310 84263310 ethtmlrw2!html2::Attr::~Attr+0x30756
    0b 83eceb44 84170330     7ce5dfe8 4b14cfe0 7cb50ec0 ethtmlrw2!html2::Attr::~Attr+0x34eb4
    0c 83eced20 8416f595     6fef0c00 83eced94 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x30a0
    0d 83eced5c 67393f3b     73b12fc8 6fef0c00 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x2305
    0e 83eceda4 67372cf8     6fef0c00 43d04398 7bfd1000 kso!vml::LegacyDomShapeAcceptor::Transform+0x4b
    0f 83ecedd0 6736cd34     6fef0c00 6fe46ff0 43d04070 kso!vml::TFill::Transform+0x1ea8
    10 83ecee38 6723d584     83ecf080 6fef0c00 6fef4ff0 kso!vml::VmlDrawingHandler::AddElementAttr+0x784
    11 83ecee4c 8416009b     72c76fe8 00490046 00000001 kso!XmlFxSetGlobalMapperHelper2::BeginSet+0xd4
    12 83ecee64 84169634     83ecf0b4 00490046 500d2800 ethtmlrw2!html2::StrId::operator!=+0x397b
    13 83ecee88 674ff633     4ca0e800 3245efd8 500d2800 ethtmlrw2!html2::StrId::operator!=+0xcf14
    14 83eceecc 6750cc0b     7eb8efd0 00000007 6751b800 kso!curl_easy_reset+0xfe81
    15 83ecef60 6750c34f     83ecef8b 43d041d4 83ecf28c kso!curl_easy_reset+0x1d459
    16 83ecef9c 6750c4a4     00000000 43d04198 83ecf28c kso!curl_easy_reset+0x1cb9d
    17 83ecefd0 674fffdc     83ecf030 43d05e5c 83ecf28c kso!curl_easy_reset+0x1ccf2
    18 83ecf014 671f9c82     83ecf030 43d05e14 83ecf28c kso!curl_easy_reset+0x1082a
    19 83ecf05c 8416279f     54b5af88 5fea6fe8 ffffffff kso!XSAXParse+0x62
    1a 83ecf0fc 8416385d     83ecf058 5fea6fe8 7ab56fd0 ethtmlrw2!html2::StrId::operator!=+0x607f
    1b 83ecf190 84163a8c     50518fe0 2a810568 e6481f02 ethtmlrw2!html2::StrId::operator!=+0x713d
    1c 83ecf1ec 8416180c     59d3cf0c e6481cc2 78272fc8 ethtmlrw2!html2::StrId::operator!=+0x736c
    1d 83ecf22c 841902e0     59d3cee8 00000000 e6481db6 ethtmlrw2!html2::StrId::operator!=+0x50ec
    1e 83ecf358 8418fae7     59d3cec8 83ecf444 e6481d2a ethtmlrw2!html2::UrlStack::~UrlStack+0x35c0
    1f 83ecf3c4 8418e3a4     59d3cec8 83ecf408 0d8f1bc0 ethtmlrw2!html2::UrlStack::~UrlStack+0x2dc7
    20 83ecf494 8417d4ca     e64819ba 0029aff0 6e7b0fb8 ethtmlrw2!html2::UrlStack::~UrlStack+0x1684
    21 83ecf754 84153f6f     00d3d3e4 7cb50ec0 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x437a
    22 83ecf790 841549d9     6e7b0fb8 84155d1f e648192e ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
    23 83ecf7c0 76844f9f     6e308c40 fd73b30e 76844f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xb29
    24 83ecf7f8 76450099     5013afe8 76450080 83ecf864 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
    25 83ecf808 77687b6e     5013afe8 38cba924 00000000 KERNEL32!BaseThreadInitThunk+0x19
    26 83ecf864 77687b3e     ffffffff 776a8ca2 00000000 ntdll!__RtlUserThreadStart+0x2f
    27 83ecf874 00000000     76844f60 5013afe8 00000000 ntdll!_RtlUserThreadStart+0x1b
    

We can see that the 0xc0c0c0c0 value was set by one of the internal page heap manager functions.

Further investigation revealed that the uninitialized value read is related to the Data element, or, more precisely, its absence in a malformed file. The Data element, according to the documentation, is an obligatory element inside the Caption element, and it turned out that developers following the documentation assumed its existence without proper checks. That assumption lead to the vulnerability described above.

The value of uninitialized Data object pointer in further code is used in both read and write operations, which, in a combination with proper heap grooming, can lead to precise memory corruption and in consequence remote code execution.

**Crash Information**

    (1ba8.2d30): Access violation - code c0000005 (first/second chance not available)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    Time Travel Position: 406EFF7:0
    eax=00000000 ebx=83eceb4c ecx=c0c0c0c0 edx=0df81164 esi=83ecec98 edi=77cf8fc8
    eip=6723b200 esp=83eceab8 ebp=83eceb14 iopl=0         nv up ei ng nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
    kso!WStr::data:
    6723b200 8b01            mov     eax,dword ptr [ecx]  ds:002b:c0c0c0c0=????????
    
    
    0:015> kb
     # ChildEBP RetAddr      Args to Child              
    WARNING: Stack unwind information not available. Following frames may be wrong.
    00 83eceb14 841ba621     77cf8fc8 55166f40 e64805b2 kso!WStr::data
    01 83eceb5c 84170349     e64803ce 80004005 83eced94 ethtmlrw2!html2::Attr::~Attr+0x26561
    02 83eced20 8416f595     6fef0c00 83eced94 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x30b9
    03 83eced5c 67393f3b     73b12fc8 6fef0c00 00000000 ethtmlrw2!chart::KETChartDataSourceProvider::operator=+0x2305
    04 83eceda4 67372cf8     6fef0c00 43d04398 7bfd1000 kso!vml::LegacyDomShapeAcceptor::Transform+0x4b
    05 83ecedd0 6736cd34     6fef0c00 6fe46ff0 43d04070 kso!vml::TFill::Transform+0x1ea8
    06 83ecee38 6723d584     83ecf080 6fef0c00 6fef4ff0 kso!vml::VmlDrawingHandler::AddElementAttr+0x784
    07 83ecee4c 8416009b     72c76fe8 00490046 00000001 kso!XmlFxSetGlobalMapperHelper2::BeginSet+0xd4
    08 83ecee64 84169634     83ecf0b4 00490046 500d2800 ethtmlrw2!html2::StrId::operator!=+0x397b
    09 83ecee88 674ff633     4ca0e800 3245efd8 500d2800 ethtmlrw2!html2::StrId::operator!=+0xcf14
    0a 83eceecc 6750cc0b     7eb8efd0 00000007 6751b800 kso!curl_easy_reset+0xfe81
    0b 83ecef60 6750c34f     83ecef8b 43d041d4 83ecf28c kso!curl_easy_reset+0x1d459
    0c 83ecef9c 6750c4a4     00000000 43d04198 83ecf28c kso!curl_easy_reset+0x1cb9d
    0d 83ecefd0 674fffdc     83ecf030 43d05e5c 83ecf28c kso!curl_easy_reset+0x1ccf2
    0e 83ecf014 671f9c82     83ecf030 43d05e14 83ecf28c kso!curl_easy_reset+0x1082a
    0f 83ecf05c 8416279f     54b5af88 5fea6fe8 ffffffff kso!XSAXParse+0x62
    10 83ecf0fc 8416385d     83ecf058 5fea6fe8 7ab56fd0 ethtmlrw2!html2::StrId::operator!=+0x607f
    11 83ecf190 84163a8c     50518fe0 2a810568 e6481f02 ethtmlrw2!html2::StrId::operator!=+0x713d
    12 83ecf1ec 8416180c     59d3cf0c e6481cc2 78272fc8 ethtmlrw2!html2::StrId::operator!=+0x736c
    13 83ecf22c 841902e0     59d3cee8 00000000 e6481db6 ethtmlrw2!html2::StrId::operator!=+0x50ec
    14 83ecf358 8418fae7     59d3cec8 83ecf444 e6481d2a ethtmlrw2!html2::UrlStack::~UrlStack+0x35c0
    15 83ecf3c4 8418e3a4     59d3cec8 83ecf408 0d8f1bc0 ethtmlrw2!html2::UrlStack::~UrlStack+0x2dc7
    16 83ecf494 8417d4ca     e64819ba 0029aff0 6e7b0fb8 ethtmlrw2!html2::UrlStack::~UrlStack+0x1684
    17 83ecf754 84153f6f     00d3d3e4 7cb50ec0 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x437a
    18 83ecf790 841549d9     6e7b0fb8 84155d1f e648192e ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
    19 83ecf7c0 76844f9f     6e308c40 fd73b30e 76844f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xb29
    1a 83ecf7f8 76450099     5013afe8 76450080 83ecf864 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
    1b 83ecf808 77687b6e     5013afe8 38cba924 00000000 KERNEL32!BaseThreadInitThunk+0x19
    1c 83ecf864 77687b3e     ffffffff 776a8ca2 00000000 ntdll!__RtlUserThreadStart+0x2f
    1d 83ecf874 00000000     76844f60 5013afe8 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    
    0:015> lmv et
    start    end        module name
    00020000 0016c000   et       
        Loaded symbol image file: et.exe
        Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\et.exe
        Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\et.exe
        Image name: et.exe
        Browse all global symbols  functions  data
        Timestamp:        Tue Apr 25 08:42:37 2023 (6447765D)
        CheckSum:         0014FD10
        ImageSize:        0014C000
        File version:     11.2.0.11537
        Product version:  11.2.0.11537
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        0.0 Unknown
        File date:        00000000.00000000
        Translations:     0000.04b0
        Information from resource tables:
            CompanyName:      Zhuhai Kingsoft Office Software Co.,Ltd
            ProductName:      WPS Office
            InternalName:     et
            OriginalFilename: et.exe
            ProductVersion:   11,2,0,11537
            FileVersion:      11,2,0,11537
            FileDescription:  WPS Spreadsheets
            LegalCopyright:   Copyright©2023 Kingsoft Corporation. All rights reserved.
    65ac0000 68a6c000   kso      
        Loaded symbol image file: kso.dll
        Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kso.dll
        Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\kso.dll
        Image name: kso.dll
        Browse all global symbols  functions  data
        Timestamp:        Tue Apr 25 09:02:21 2023 (64477AFD)
        CheckSum:         02F68F73
        ImageSize:        02FAC000
        File version:     11.2.0.11537
        Product version:  11.2.0.11537
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        0.0 Unknown
        File date:        00000000.00000000
        Translations:     0000.04b0
        Information from resource tables:
            CompanyName:      Zhuhai Kingsoft Office Software Co.,Ltd
            ProductName:      WPS Office
            InternalName:     kso
            OriginalFilename: kso.dll
            ProductVersion:   11,2,0,11537
            FileVersion:      11,2,0,11537
            FileDescription:  WPS Office Module
            LegalCopyright:   Copyright©2023 Kingsoft Corporation. All rights reserved.
    69900000 69e02000   Qt5CoreKso 
        Loaded symbol image file: Qt5CoreKso.dll
        Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5CoreKso.dll
        Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\Qt5CoreKso.dll
        Image name: Qt5CoreKso.dll
        Browse all global symbols  functions  data
        Timestamp:        Tue Apr 25 06:37:12 2023 (644758F8)
        CheckSum:         00503D31
        ImageSize:        00502000
        File version:     5.12.10.0
        Product version:  5.12.10.0
        File flags:       0 (Mask 3F)
        File OS:          4 Unknown Win32
        File type:        2.0 Dll
        File date:        00000000.00000000
        Translations:     0409.04b0
        Information from resource tables:
            CompanyName:      The Qt Company Ltd.
            ProductName:      Qt5
            OriginalFilename: Qt5CoreKso.dll
            ProductVersion:   5.12.10.0
            FileVersion:      5.12.10.0
            FileDescription:  C++ Application Development Framework
            LegalCopyright:   Copyright (C) 2020 The Qt Company Ltd.
    6ba20000 6ba85000   verifier 
        Loaded symbol image file: verifier.dll
        Mapped memory image file: C:\ProgramData\Dbg\sym\verifier.dll\D131439B65000\verifier.dll
        Image path: C:\WINDOWS\SysWOW64\verifier.dll
        Image name: verifier.dll
        Browse all global symbols  functions  data
        Image was built with /Brepro flag.
        Timestamp:        D131439B (This is a reproducible build file hash, not a timestamp)
        CheckSum:         000613E9
        ImageSize:        00065000
        File version:     10.0.19041.1
        Product version:  10.0.19041.1
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        2.0 Dll
        File date:        00000000.00000000
        Translations:     0409.04b0
        Information from resource tables:
            CompanyName:      Microsoft Corporation
            ProductName:      Microsoft® Windows® Operating System
            InternalName:     verifier.dll
            OriginalFilename: verifier.dll
            ProductVersion:   10.0.19041.1
            FileVersion:      10.0.19041.1 (WinBuild.160101.0800)
            FileDescription:  Standard application verifier provider dll
            LegalCopyright:   © Microsoft Corporation. All rights reserved.
    84150000 84274000   ethtmlrw2 
        Loaded symbol image file: ethtmlrw2.dll
        Mapped memory image file: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ethtmlrw2.dll
        Image path: C:\Users\Hephaistos\AppData\Local\Kingsoft\WPS Office\11.2.0.11537\office6\ethtmlrw2.dll
        Image name: ethtmlrw2.dll
        Browse all global symbols  functions  data
        Timestamp:        Tue Apr 25 09:34:34 2023 (6447828A)
        CheckSum:         00130A73
        ImageSize:        00124000
        File version:     11.2.0.11537
        Product version:  11.2.0.11537
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        0.0 Unknown
        File date:        00000000.00000000
        Translations:     0000.04b0
        Information from resource tables:
            CompanyName:      Zhuhai Kingsoft Office Software Co.,Ltd
            ProductName:      WPS Office
            InternalName:     ethtmlrw2
            OriginalFilename: ethtmlrw2.dll
            ProductVersion:   11,2,0,11537
            FileVersion:      11,2,0,11537
            FileDescription:  
            LegalCopyright:   Copyright©2023 Kingsoft Corporation. All rights reserved.
    

**TIMELINE**

2023-05-15 - Vendor Disclosure  
2023-07-11 - Follow-up  
2023-07-13 - Follow-up reminder of 90-day deadline  
2023-08-03 - Follow-up  
2023-08-07 - Follow-up  
2023-08-28 - Follow-up with suggest release date  
2023-11-27 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.