Kingsoft WPS Office TCC Bypass Vulnerability in Version 6.14.0 on macOS

A critical code injection vulnerability has been identified in Kingsoft WPS Office version 6.14.0 for macOS. This issue arises from the application's failure to enable the 'Hardened Runtime' signing option, a security feature that prevents code injection attacks. As a result, an attacker can exploit this vulnerability by loading a malicious dynamic library (dylib) into the WPS process, bypassing the Transparency, Consent, and Control (TCC) mechanism, and gaining unauthorized access to sensitive resources such as the user's camera, microphone, and protected directories like Downloads.

Impact

Exploitation of this vulnerability allows for unauthorized code execution within the WPS process, with the injected code running under the same permissions as the application. This not only bypasses macOS's built-in security controls but also enables access to TCC-protected resources, leading to potential privacy violations and unauthorized surveillance.

Reproduction

To reproduce this vulnerability, download WPS Office 6.14.0 from the Apple Mac App Store. After verifying that the application does not have the 'Hardened Runtime' option enabled, create a custom dylib designed to check access to the microphone, camera, and Downloads folder. Once compiled, inject this dylib into the WPS process using a LaunchAgent that specifies the DYLD_INSERT_LIBRARIES environment variable. After loading the LaunchAgent, the injected dylib will access the TCC-protected resources, demonstrating the bypass.

Remediation

The recommended fix for this vulnerability is to enable the 'Hardened Runtime' option in the application's code signing. This simple adjustment can significantly reduce the risk of code injection attacks and enhance the overall security of the application.