CVE-2024-35205: Security Flaw in WPS Office Puts Over 500 Million Android Users at Risk

Popular office suite app WPS Office, with over 500 million installs on Android, has been found vulnerable to a path traversal attack dubbed “Dirty Stream,” potentially exposing user data and enabling unauthorized access to online accounts.

The vulnerability, CVE-2024-35205, arises from the application’s failure to properly sanitize filenames before processing them through interactions with external applications. This flaw allows other applications on the same device to send specially crafted library files to the WPS Office, potentially leading to the overwriting of existing native libraries used by the app. The exploitation of this vulnerability could result in the unauthorized execution of arbitrary commands under the application’s ID.

Getting remote access to local shares | Image: Microsoft

According to Dimitrios Valsamaras of the Microsoft Threat Intelligence team, the implications of such an attack include arbitrary code execution and token theft, which could compromise user security significantly. Attackers could potentially take full control of the app’s behavior, manipulate WPS Office to perform unauthorized actions or access sensitive user data.

How the ‘Dirty Stream’ Attack Works:

The attack leverages Android’s content provider mechanism, which is designed to allow secure file sharing between applications. However, oversights in this system can lead to the bypassing of protective measures within an application’s dedicated data and memory space.

In particular, a malicious app could declare a rogue version of the FileProvider class, enabling it to share files with names dictated by the attacker. If WPS Office does not validate or sanitize these filenames, it could end up overwriting its files with malicious content sent by the other app. This can lead to scenarios where, for instance, a rogue app replaces a legitimate library with a malicious one, which WPS Office then executes, thinking it is legitimate.

Two primary threat scenarios emerge from this vulnerability:

1. Preference Manipulation: By overwriting the shared preferences file of WPS Office, an attacker could redirect the application to communicate with a server under their control, leading to data exfiltration.
2. Library Replacement: If WPS Office loads native libraries from its data directory, a rogue application could replace these with malicious versions, leading to direct execution of harmful code.

Mitigation and Protection

To mitigate this threat, users of WPS Office on Android are urged to update their app to the latest version (17.0.0 or above), which includes a fix for the CVE-2024-35205 vulnerability. Additionally, users should be cautious about the permissions they grant to applications and be wary of installing software from unknown or untrusted sources.