accept no compromises

PDFCool Studio Buffer Overflow

PDFCool Studio Buffer Overflow
Posted Oct 1, 2013
Authored by Core Security Technologies, Marcos Accossatto | Site

Core Security Technologies Advisory - PDFCool Studio Suite is prone to a security vulnerability when processing PDF files. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing users to open a specially crafted PDF file (client-side attack). PDFAX0722_IconCool.dll version 7.22.1125.2121 is affected.

tags | advisory, remote, arbitrary
advisories | CVE-2013-4986
MD5 | e54aac99b9cffa19211dc84de81585ee

PDFCool Studio Buffer Overflow

Change Mirror Download
Core Security - Corelabs Advisory

PDFCool Studio Buffer Overflow Vulnerability

1. *Advisory Information*

Title: PDFCool Studio Buffer Overflow Vulnerability
Advisory ID: CORE-2013-0828
Advisory URL:
Date published: 2013-10-02
Date of last update: 2013-10-02
Vendors contacted: IconCool Software
Release mode: User release

2. *Vulnerability Information*

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2013-4986

3. *Vulnerability Description*

PDFCool Studio Suite [1], [2] is prone to a security vulnerability when
processing PDF files. This vulnerability could be exploited by a remote
attacker to execute arbitrary code on the target machine by enticing
users to open a specially crafted PDF file (client-side attack).

4. *Vulnerable Packages*

. PDFAX0722_IconCool.dll v7.22.1125.2121.
. Other versions are probably affected too, but they were not checked.

5. *Vendor Information, Solutions and Workarounds*

There was no official answer from vendor after several attempts to
report this vulnerability (see [Sec. 8]). As mitigation action, given
that this is a client-side vulnerability, avoid to open untrusted PDF
files. Contact vendor for further information.

6. *Credits*

This vulnerability was discovered and researched by Marcos Accossatto
from CORE Exploit Writers Team.

7. *Technical Description / Proof of Concept Code*

Below is shown the result of opening the maliciously crafted PDF file
[3] on Windows XP SP3 (EN):

$+A50C6 > C740 14 1E000000 MOV DWORD PTR DS:[EAX+14],1E
; <== Exception - Tries to write to 909090A4
$+A50CD > 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
$+A50D1 > 8950 18 MOV DWORD PTR DS:[EAX+18],EDX
$+A50D4 > 8BC7 MOV EAX,EDI


At that time, the 'EAX' register contains the first 'DWORD' of our

EAX 90909090
ECX 000007B4
EDX 0012E190
EBX 048757D1
EBP 0012E064
ESI 000002F0
EDI 0012DF88
EIP 044760C6 PDFAX0~1.044760C6
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_NOT_ENOUGH_MEMORY (00000008)
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.5000000000000000000
ST3 empty -2.9802320611338473100e-08
ST4 empty 1.0000000000000000000
ST5 empty 4.3980465111040000000e+12
ST6 empty 5.3123247893381160000e+15
ST7 empty 5.0609752291423027300e+17
3 2 1 0 E S P U O Z D I
FST 0020 Cond 0 0 0 0 Err 0 0 1 0 0 0 0 0 (GT)
FCW 137F Prec NEAR,64 Mask 1 1 1 1 1 1

The stack's exception handler is overwritten with:

0012DE00 0000000A
.... ....
0012DF6C 0EDDE2F1
0012DF70 909006EB Pointer to next SEH record
0012DF74 005D88EF SE handler

In the address '005D88EF' (the main executable module of PDFCool Studio)
we have:

005D88F0 59 POP ECX
005D88F1 C3 RETN

and the stack:

0012DA2C 7C9032A8 RETURN to ntdll.7C9032A8
0012DA30 0012DB14
0012DA34 0012DF70

So, the 'RETN' of '005D88F1' will jump to '12DF70' (the stack) where our
shellcode is located:

0012DF70 EB 06 JMP SHORT 0012DF78
0012DF72 90 NOP
0012DF73 90 NOP
0012DF74 EF OUT DX,EAX ;
I/O command
0012DF75 885D 00 MOV BYTE PTR SS:[EBP],BL
0012DF78 90 NOP

which means the normal execution flow can be altered in order to execute

arbitrary code.

8. *Report Timeline*

. 2013-09-03:
Core Security Technologies attempts to contact vendor using the IconCool
official technical support contact page [4]. No reply received.
Publication date is set for Sep 25th, 2013.

. 2013-09-09:
Core attempts to contact vendor.

. 2013-09-16:
Core attempts to contact vendor.

. 2013-09-25:
First release date missed.

. 2013-10-02:
Advisory CORE-2013-0828 published.

9. *References*


[4] IconCool technical support page

10. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:

11. *About Core Security Technologies*

Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:

12. *Disclaimer*

The contents of this advisory are copyright (c) 2013 Core Security
Technologies and (c) 2013 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)

13. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    2 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2016 Packet Storm. All rights reserved.

Security Services
Hosting By