Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH)

The PDF Printer Preferences ActiveX suffers from a buffer overflow vulnerability. When a large buffer is sent to the sub_path item of the StoreInRegistry function, and the sub_key item of the InitFromRegistry function, in pdfxctrl.dll module, we get a SEH overwrite. An attacker can gain access to the system of the affected node and execute arbitrary code.

Discovered on 25.01.2012 included in Mindjet MindManager 2012 for Windows version 10.0.493.

COMRaider Output:

-----------
Exception Code: ACCESS_VIOLATION
Disasm: 7C834D8F REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI] (KERNEL32.dll)

Seh Chain:
--------------------------------------------------
1 7C839AC0 KERNEL32.dll
2 41414141

Called From Returns To
--------------------------------------------------
KERNEL32.7C834D8F pdfxctrl.1001D8E7
pdfxctrl.1001D8E7 41414141

Registers:
--------------------------------------------------
EIP 7C834D8F -> Asc: SOFTWARE\Tracker Software\pdf
EAX 0013E9E0 -> Asc: SOFTWARE\Tracker Software\pdf
EBX 00000003
ECX 0000008C
EDX 00001815
EDI 0013FFFD -> 41000000
ESI 0013CD74 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 0013B780 -> 0013EDE4
ESP 0013B75C -> 0000302A -> Uni: *0*0

Block Disassembly:
--------------------------------------------------
7C834D82 MOV CL,[EDI+1]
7C834D85 INC EDI
7C834D86 TEST CL,CL
7C834D88 JNZ SHORT 7C834D82
7C834D8A MOV ECX,EDX
7C834D8C SHR ECX,2
7C834D8F REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI] <--- CRASH 7C834D91 MOV ECX,EDX 7C834D93 AND ECX,3 7C834D96 REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI] 7C834D98 OR DWORD PTR [EBP-4],FFFFFFFF 7C834D9C CALL 7C802511 7C834DA1 RETN 8 7C834DA4 NOP 7C834DA5 NOP ArgDump: -------------------------------------------------- EBP+8 0013E9E0 -> Asc: SOFTWARE\Tracker Software\pdf
EBP+12 0013B790 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 41414141
EBP+20 41414141
EBP+24 41414141
EBP+28 41414141

Stack Dump:
--------------------------------------------------
13B75C 2A 30 00 00 84 63 18 00 03 00 00 00 5C B7 13 00 [.....c......\...]
13B76C 2A 30 00 00 AC F1 13 00 C0 9A 83 7C A8 4D 83 7C [.............M..]
13B77C 00 00 00 00 E4 ED 13 00 E7 D8 01 10 E0 E9 13 00 [................]
13B78C 90 B7 13 00 41 41 41 41 41 41 41 41 41 41 41 41 [................]
13B79C 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]

-----------

CompanyName Tracker Software Products
FileDescription PDF Printer Preferences ActiveX
FileVersion 3.60.0128
InternalName pdfxctrl.dll
LegalCopyright Copyright © 2001-2006 by Tracker Software Products
OriginalFileName pdfxctrl.dll
ProductName Tracker Software Products pdfxctrl.PdfPrinterPreferences ActiveX
ProductVersion 3.60

Advisory ID: ZSL-2012-5067 (Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH))
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5067.php

Comment are closed.