=====[ Tempest Security Intelligence - ADV-16/2018 ]===

WPS Free Office 10.2.0.5978 - NULL DACL grants full access
-------------------------------------------------------
Author:
- Filipe Xavier Oliveira: < filipe.xavier () tempest.com.br

=====[ Table of Contents
]=====================================================

* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgements
* References

=====[ Overview
]==============================================================

* System affected : KingSoft WPS Free Office [1]
* Software Version : 10.2.0.5978. Other versions or models may also be
affected.
* Impact : A low privileged user can access and modify the DACL of pipe
with full access allowed. The NULL DACL grants full access to any user
that requests it; normal security checking is not performed with respect
to the object.

=====[ Detailed description
]==================================================

Kingsoft WPS Office Free 10.2.0.5978 allows local users to gain
privileges or cause a denial of service by impersonating all the pipes
through a use of \\.\pipe\WPSCloudSvr\WpsCloudSvr -- an "insecurely
created named pipe." Ensures full access to Everyone users group.

=====[ Timeline of disclosure
]===============================================

29/01/2018 - Vendor was informed of the vulnerability.
01/29/2018 - CVE assigned [2]
02/05/2018 - Tried to contact vendor again.
03/06/2018 - Advisory publication date.

=====[ Thanks & Acknowledgements
]============================================

- Tempest Security Intelligence / Tempest's Pentest Team [3]

=====[ References
]===========================================================

[1] - http://www.kingsoftstore.com/
[2] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6400
[3] - http://www.tempest.com.br

-- 
Filipe Oliveira
Tempest Security Intelligence