Zero Science Lab » Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH)

Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH)

Title: Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH)
Advisory ID: ZSL-2012-5067
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 29.01.2012

Summary

PDF-Saver Technology is a unique new feature of PDF-XChange software which allows printing jobs to be combined prior to the final PDF file being generated - (e.g. to join 3 pages of Excel spreadsheet, 5 slides of PowerPoint presentation and 10 pages of Word document into one PDF document).

Description

The PDF Printer Preferences ActiveX suffers from a buffer overflow vulnerability. When a large buffer is sent to the sub_path item of the StoreInRegistry function, and the sub_key item of the InitFromRegistry function, in pdfxctrl.dll module, we get a SEH overwrite. An attacker can gain access to the system of the affected node and execute arbitrary code.

--------------------------------------------------------------------------------


(1fac.1ea8): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=0013e9e0 ebx=00000003 ecx=0000008c edx=00001815 esi=0013cd74 edi=0013fffd

eip=7c834d8f esp=0013b75c ebp=0013b780 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206

kernel32!lstrcatA+0x36:

7c834d8f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

0:000> !exchain

0013b770: kernel32!_except_handler3+0 (7c839ac0)

  CRT scope  0, filter: kernel32!lstrcatA+45 (7c84086d)

                func:   kernel32!lstrcatA+49 (7c840876)

0013f1ac: 41414141

Invalid exception stack at 41414141

0:000> d esp

0013b75c  2a 30 00 00 cc 63 18 00-03 00 00 00 5c b7 13 00  *0...c......\...

0013b76c  2a 30 00 00 ac f1 13 00-c0 9a 83 7c a8 4d 83 7c  *0.........|.M.|

0013b77c  00 00 00 00 e4 ed 13 00-e7 d8 01 10 e0 e9 13 00  ................

0013b78c  90 b7 13 00 41 41 41 41-41 41 41 41 41 41 41 41  ....AAAAAAAAAAAA

0013b79c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

0013b7ac  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

0013b7bc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

0013b7cc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

--------------------------------------------------------------------------------

Vendor

Tracker Software Products Ltd. - http://www.tracker-software.com

Affected Version

3.60.0128

Tested On

Microsoft Windows XP Professional SP3 (EN)

Vendor Status

N/A

PoC

pdfxctrl_bof.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://www.exploit-db.com/exploits/18427/
[2] http://cxsecurity.com/issue/WLB-2012010242
[3] http://www.securityfocus.com/bid/51712
[4] http://packetstormsecurity.org/files/109222/ZSL-2012-5067
[5] http://xforce.iss.net/xforce/xfdb/72774
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5324

Changelog

[29.01.2012] - Initial release
[30.01.2012] - Added reference [2] and [3]
[31.01.2012] - Added reference [4] and [5]
[24.11.2012] - Added reference [6]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk