Vulnerability discovered by a member of Talos.

Published by Hancom inc. the Hangul Office Suite, of which Hangul Word Processor is part, is the leading word processing and office productivity suite in South Korea. This vulnerability allows attackers to craft a malicious document that when opened, allows the attacker to cause arbitrary code to be executed on the victim’s system.

TALOS-2017-0320 (CVE-2017-2819) Hangul Word Processor Buffer Overflow Vulnerability
Hangul Word Processor documents uses a structured format to store the various objects that comprise the final document. When opening a document the software reads metadata tags which describe the object properties, and calculates the memory necessary to store each object.
The record, HWPTAG_TAB_DEF describes information about the tab definitions within the document. The header information in this section describes how much memory is required to load the relevant data section. However, a value can be included in the header which leads to the heap buffer used in the previous tab definition being re-used without being resized. This leads to a buffer overflow condition as the contents of the tab section are written outside of the allocated buffer onto the heap, ultimately leading to remote code execution.

More details can be found in the vulnerability reports: TALOS-2017-0320.

Know vulnerable versions: Hancom Office 2014 version

Hangul Word Processor documents are a favourite vector of threat actors targeting users in South Korea. We have recently written about two examples of such threats, here and here. Vulnerabilities in office productivity software are useful to attackers who can use file formats which are frequently distributed over email to target their victims. Users should ensure that all software, including office productivity suites are kept up to patch to ensure that attackers are unable to use such vulnerabilities to compromise systems.

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort Rules: 35832 - 35833