Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH)

Title: Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH)
Advisory ID: ZSL-2012-5067
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 29.01.2012
Summary
PDF-Saver Technology is a unique new feature of PDF-XChange software which allows printing jobs to be combined prior to the final PDF file being generated - (e.g. to join 3 pages of Excel spreadsheet, 5 slides of PowerPoint presentation and 10 pages of Word document into one PDF document).
Description
The PDF Printer Preferences ActiveX suffers from a buffer overflow vulnerability. When a large buffer is sent to the sub_path item of the StoreInRegistry function, and the sub_key item of the InitFromRegistry function, in pdfxctrl.dll module, we get a SEH overwrite. An attacker can gain access to the system of the affected node and execute arbitrary code.

--------------------------------------------------------------------------------

(1fac.1ea8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0013e9e0 ebx=00000003 ecx=0000008c edx=00001815 esi=0013cd74 edi=0013fffd
eip=7c834d8f esp=0013b75c ebp=0013b780 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
kernel32!lstrcatA+0x36:
7c834d8f f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:000> !exchain
0013b770: kernel32!_except_handler3+0 (7c839ac0)
CRT scope 0, filter: kernel32!lstrcatA+45 (7c84086d)
func: kernel32!lstrcatA+49 (7c840876)
0013f1ac: 41414141
Invalid exception stack at 41414141
0:000> d esp
0013b75c 2a 30 00 00 cc 63 18 00-03 00 00 00 5c b7 13 00 *0...c......\...
0013b76c 2a 30 00 00 ac f1 13 00-c0 9a 83 7c a8 4d 83 7c *0.........|.M.|
0013b77c 00 00 00 00 e4 ed 13 00-e7 d8 01 10 e0 e9 13 00 ................
0013b78c 90 b7 13 00 41 41 41 41-41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA
0013b79c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0013b7ac 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0013b7bc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0013b7cc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA

--------------------------------------------------------------------------------

Vendor
Tracker Software Products Ltd. - http://www.tracker-software.com
Affected Version
3.60.0128
Tested On
Microsoft Windows XP Professional SP3 (EN)
Vendor Status
N/A
PoC
pdfxctrl_bof.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/18427/
[2] http://cxsecurity.com/issue/WLB-2012010242
[3] http://www.securityfocus.com/bid/51712
[4] http://packetstormsecurity.org/files/109222/ZSL-2012-5067
[5] http://xforce.iss.net/xforce/xfdb/72774
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5324
Changelog
[29.01.2012] - Initial release
[30.01.2012] - Added reference [2] and [3]
[31.01.2012] - Added reference [4] and [5]
[24.11.2012] - Added reference [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk