cbcvebase.
CVE-2012-4886
published 2014-03-24

CVE-2012-4886: Stack-based buffer overflow in wpsio.dll in Kingsoft WPS Office 2012 possibly 8.1.0.3238 allows remote attackers to execute arbitrary code via a long BSTR…

PriorityP357critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
15.35%
96.4th percentile
Stack-based buffer overflow in wpsio.dll in Kingsoft WPS Office 2012 possibly 8.1.0.3238 allows remote attackers to execute arbitrary code via a long BSTR string.

Affected

1 ranges
VendorProductVersion rangeFixed in
kingsoftoffice_2012

Detection & IOCsextracted from sources · hover to see the quote

filenamewpsio.dll
urlhttp://wdl.cache.ijinshan.com/wps/download/special/WPS2012.12012.exe
pathC:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll
filenamepoc.wps
  • Inspect .wps files for anomalously long BSTR strings at file offset 0x41d7, which is the source of the malicious memcpy data triggering the overflow.
  • Detect overwritten SEH chain pointing to 0x90909090 (NOP sled) as a sign of active exploitation of this vulnerability.
  • Flag wpsio.dll with file version 8.1.0.3238 (timestamp Mon May 28 04:10:12 2012, CheckSum 0026D933, ImageSize 0026F000) as the confirmed vulnerable binary.
  • ·The CVE description states the affected version is 'possibly 8.1.0.3238', but the crash dump and module info from the PoC confirm version 8.1.0.3238 as the tested vulnerable build.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.