CVE-2023-50235 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2023-50235?

CVE-2023-50235 has a CVSS score of 7.8 (HIGH). A stack-based buffer overflow vulnerability in Hancom Office Show's PPT file parser allows remote attackers to execute arbitrary code when users open malicious PowerPoint files. This affects all installations of vulnerable Hancom Office Show versions. User interaction is required as victims must open a malicious file.

📋 TL;DR

A stack-based buffer overflow vulnerability in Hancom Office Show's PPT file parser allows remote attackers to execute arbitrary code when users open malicious PowerPoint files. This affects all installations of vulnerable Hancom Office Show versions. User interaction is required as victims must open a malicious file.

💻 Affected Systems

Products:

Hancom Office Show

Versions: Specific vulnerable versions not publicly detailed in references; likely multiple versions before patched release.

Operating Systems: Windows, Linux, macOS (where Hancom Office is supported)

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with vulnerable versions are affected when opening PPT files. No special configuration required for exploitation.

📦 What is this software?

Office Show by Hancom

View all CVEs affecting Office Show →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's computer, enabling data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Malware installation leading to data exfiltration, credential theft, or system disruption through targeted phishing campaigns with malicious PPT attachments.

🟢

If Mitigated

Limited impact with proper email filtering blocking malicious attachments and endpoint protection preventing successful exploitation.

🌐 Internet-Facing: MEDIUM - Requires user interaction via email attachments or downloads, but common in phishing attacks.

🏢 Internal Only: MEDIUM - Internal phishing campaigns or shared malicious files on network drives could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user to open malicious file but no authentication needed. Buffer overflow to RCE is straightforward once file is opened.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in references; check Hancom security advisory for patched version.

Vendor Advisory: Not provided in references; check Hancom website for security updates.

Restart Required: Yes

Instructions:

1. Check Hancom security advisory for patch details.
2. Download and install latest Hancom Office Show update.
3. Restart system to ensure patch is fully applied.
4. Verify version is updated to patched release.

🔧 Temporary Workarounds

Disable PPT file association

windows

Prevent Hancom Office Show from automatically opening PPT files by changing file associations.

Windows: Control Panel > Default Programs > Set Associations > Change .ppt/.pptx to open with different application

Application control blocking

all

Use endpoint protection to block Hancom Office Show execution or restrict to trusted files only.

🧯 If You Can't Patch

Implement strict email filtering to block PPT attachments from untrusted sources.
Use application whitelisting to prevent unauthorized execution of Hancom Office Show.

🔍 How to Verify

Check if Vulnerable:

Check Hancom Office Show version against vendor's patched version list. If version is older than patched release, system is vulnerable.

Check Version:

Windows: Check Help > About in Hancom Office Show interface. Linux/macOS: Check application info or package manager.

Verify Fix Applied:

Verify Hancom Office Show version matches or exceeds patched version specified in vendor advisory.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from Hancom Office Show (e.g., cmd.exe, powershell.exe spawned)
Crash logs from Hancom Office Show with memory access violations

Network Indicators:

Outbound connections from Hancom Office Show to suspicious IPs post-file opening
DNS requests to malicious domains following PPT file processing

SIEM Query:

Process Creation where ParentImage contains 'Hancom' AND (Image contains 'cmd.exe' OR Image contains 'powershell.exe')

📊 Metadata

CVE ID: CVE-2023-50235

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: May 3, 2024

Last Updated: August 14, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-23-1857/ Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1857/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50235, you might also want to check these: