----------------------------------------------------------------------


Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).

http://secunia.com/company/events/mms_2011/


----------------------------------------------------------------------

TITLE:
PDF-Pro Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA42805

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42805/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42805

RELEASE DATE:
2011-03-20

DISCUSS ADVISORY:
http://secunia.com/advisories/42805/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA:
 * Last Update
 * Popularity
 * Comments
 * Criticality Level
 * Impact
 * Where
 * Solution Status
 * Operating System / Software
 * CVE Reference(s)

http://secunia.com/advisories/42805/

ONLY AVAILABLE IN CUSTOMER AREA:
 * Authentication Level
 * Report Reliability
 * Secunia PoC
 * Secunia Analysis
 * Systems Affected
 * Approve Distribution
 * Remediation Status
 * Secunia CVSS Score
 * CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=42805

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
 * AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION:
Parvez Anwar has discovered some vulnerabilities in PDF-Pro, which
can be exploited by malicious people to compromise a user's system.

1) The application loads libraries (e.g. dwmapi.dll) in an insecure
manner, which can be exploited to load arbitrary libraries by
tricking a user into e.g. opening a PDF file located on a remote
WebDAV or SMB share.

2) A boundary error in the bundled PDF Reader ActiveX control
(ePapyrusReader.ocx) when handling arguments passed to the "open()"
method can be exploited to cause a stack-based buffer overflow.

3) Two boundary errors in ePapyrusReader.ocx when handling arguments
passed to the "open_stream()" method can be exploited to cause
heap-based buffer overflows.

4) A use-after-free error in ePapyrusReader.ocx when handling
arguments passed to the "open_stream()" method can be exploited to
dereference already freed memory.

5) A use-after-free error in ePapyrusReader.ocx when encountering
corrupted arrays in a dictionary can be exploited to dereference
already freed memory via a specially crafted PDF file.

6) The unsafe "RemoveFile()" method provided by ePapyrusReader.ocx
allows deleting arbitrary files on a user's system.

7) The unsafe "DownloadFTP()" method in combination with the
"SetFTPInfo()" method provided by ePapyrusReader.ocx allows
downloading arbitrary files to a user's system.

8) The unsafe "UploadFTP" method in combination with the
"SetFTPInfo()" method provided by ePapyrusReader.ocx allows
retrieving arbitrary files from a user's system.

The vulnerabilities are confirmed in version 4.0.1.758 bundling
ePapyrusReader.ocx version 1.6.2.1874. Most of the vulnerabilities
are also confirmed in version 4.5.2.1321 bundling ePapyrusReader.ocx
version 1.6.2.2612. Other versions may also be affected.

SOLUTION:
Set the kill-bit for the affected ActiveX control and do not open
untrusted PDF files.

PROVIDED AND/OR DISCOVERED BY:
Parvez Anwar via Secunia.

Additional information provided by Secunia Research.

OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------