header-logo
Suggest Exploit
vendor:
Slimpdf Reader
by:
Jason Kratzer
7.5
CVSS
HIGH
Buffer Overflow
Buffer Overflow
CWE
Product Name: Slimpdf Reader
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows

Slimpdf Reader Overflow Vulnerability

Slimpdf Reader from investintech is prone to several overflows that can lead to code execution. The crash is triggered by simply adding 50,000 random characters in the header of a PDF file.

Mitigation:

Unknown
Source

Exploit-DB raw data:

Slimpdf Reader from investintech,
http://www.investintech.com/resources/freetools/slimpdfreader/ is prone to
several overflows that can lead to code execution.  The crash below is
triggered by simply adding 50.000 random characters in the header of a pdf
file. Initial bug and directions to exploitation were given from Jason
Kratzer.

PoC at http://www.deventum.com/research/crash_slimpdf.pdf

CommandLine: "C:\Program Files\Investintech.com Inc\SlimPDF Reader\SlimPDF
Reader.exe"

Executable search path is:
ModLoad: 00400000 00776000   SlimPDF Reader.exe
ModLoad: 779c0000 77afd000   ntdll.dll
ModLoad: 76990000 76a64000   C:\Windows\system32\kernel32.dll
ModLoad: 75e10000 75e5a000   C:\Windows\system32\KERNELBASE.dll
ModLoad: 77920000 779c0000   C:\Windows\system32\ADVAPI32.dll
ModLoad: 77870000 7791c000   C:\Windows\system32\msvcrt.dll
ModLoad: 75e70000 75e89000   C:\Windows\SYSTEM32\sechost.dll
ModLoad: 77760000 77801000   C:\Windows\system32\RPCRT4.dll
ModLoad: 76470000 76539000   C:\Windows\system32\USER32.dll
ModLoad: 767e0000 7682e000   C:\Windows\system32\GDI32.dll
ModLoad: 762c0000 762ca000   C:\Windows\system32\LPK.dll
ModLoad: 75f70000 7600d000   C:\Windows\system32\USP10.dll
ModLoad: 75ef0000 75f6b000   C:\Windows\system32\COMDLG32.dll
ModLoad: 75e90000 75ee7000   C:\Windows\system32\SHLWAPI.dll
ModLoad: 74a40000 74bde000
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\COMCTL32.dll
ModLoad: 76a80000 776c9000   C:\Windows\system32\SHELL32.dll
ModLoad: 6cbf0000 6cc41000   C:\Windows\system32\WINSPOOL.DRV
ModLoad: 6ab80000 6ab9c000   C:\Windows\system32\oledlg.dll
ModLoad: 76830000 7698c000   C:\Windows\system32\ole32.dll
ModLoad: 776d0000 7775f000   C:\Windows\system32\OLEAUT32.dll
ModLoad: 76540000 76575000   C:\Windows\system32\WS2_32.dll
ModLoad: 76a70000 76a76000   C:\Windows\system32\NSI.dll
ModLoad: 74730000 748c0000
C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll
ModLoad: 76580000 7669a000   C:\Windows\system32\WININET.dll
ModLoad: 75e60000 75e63000   C:\Windows\system32\Normaliz.dll
ModLoad: 76100000 762b6000   C:\Windows\system32\iertutil.dll
ModLoad: 766a0000 767b0000   C:\Windows\system32\urlmon.dll
(9d8.c1c): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0012fb0c edx=77a06344 esi=fffffffe
edi=00000000
eip=77a5ebbe esp=0012fb28 ebp=0012fb54 iopl=0         nv up ei pl zr na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000246
ntdll!LdrVerifyImageMatchesChecksum+0x633:
77a5ebbe cc              int     3
0:000> g
ModLoad: 76010000 7602f000   C:\Windows\system32\IMM32.DLL
ModLoad: 76030000 760fc000   C:\Windows\system32\MSCTF.dll
ModLoad: 748c0000 74900000   C:\Windows\system32\uxtheme.dll
ModLoad: 73650000 7365f000   C:\Windows\system32\inetmib1.dll
ModLoad: 73b90000 73bac000   C:\Windows\system32\IPHLPAPI.DLL
ModLoad: 730d0000 730d7000   C:\Windows\system32\WINNSI.DLL
ModLoad: 6c8d0000 6c8d9000   C:\Windows\system32\snmpapi.dll
ModLoad: 75ab0000 75abc000   C:\Windows\system32\CRYPTBASE.dll
ModLoad: 74480000 74493000   C:\Windows\system32\dwmapi.dll
ModLoad: 77810000 77815000   C:\Windows\system32\psapi.dll
ModLoad: 77b00000 77b83000   C:\Windows\system32\CLBCatQ.DLL
ModLoad: 6afe0000 6b038000   C:\Program Files\Common Files\microsoft
shared\ink\tiptsf.dll
ModLoad: 74270000 7436b000   C:\Windows\system32\WindowsCodecs.dll
ModLoad: 75a60000 75aab000   C:\Windows\system32\apphelp.dll
ModLoad: 6bdc0000 6bdf1000   C:\Windows\system32\EhStorShell.dll
ModLoad: 762d0000 7646d000   C:\Windows\system32\SETUPAPI.dll
ModLoad: 75d20000 75d47000   C:\Windows\system32\CFGMGR32.dll
ModLoad: 75d00000 75d12000   C:\Windows\system32\DEVOBJ.dll
ModLoad: 74900000 749f5000   C:\Windows\system32\PROPSYS.dll
ModLoad: 6bd50000 6bdba000   C:\Windows\System32\cscui.dll
ModLoad: 6bd40000 6bd49000   C:\Windows\System32\CSCDLL.dll
ModLoad: 714e0000 714eb000   C:\Windows\system32\CSCAPI.dll
ModLoad: 6bcd0000 6bd3f000   C:\Windows\system32\ntshrui.dll
ModLoad: 757f0000 75809000   C:\Windows\system32\srvcli.dll
ModLoad: 73cf0000 73cfa000   C:\Windows\system32\slc.dll
ModLoad: 74ea0000 74ec1000   C:\Windows\system32\ntmarta.dll
ModLoad: 77820000 77865000   C:\Windows\system32\WLDAP32.dll
ModLoad: 75b60000 75b6b000   C:\Windows\system32\profapi.dll
ModLoad: 755e0000 755f6000   C:\Windows\system32\CRYPTSP.dll
ModLoad: 75380000 753bb000   C:\Windows\system32\rsaenh.dll
ModLoad: 75b20000 75b2e000   C:\Windows\system32\RpcRtRemote.dll
ModLoad: 66030000 6608c000   C:\Windows\System32\StructuredQuery.dll
ModLoad: 75900000 75908000   C:\Windows\System32\Secur32.dll
ModLoad: 75a40000 75a5a000   C:\Windows\system32\SSPICLI.DLL
ModLoad: 6b450000 6b49e000   C:\Windows\system32\actxprxy.dll
ModLoad: 665e0000 66612000   C:\Program Files\Internet Explorer\ieproxy.dll
ModLoad: 67620000 67636000   C:\Windows\system32\thumbcache.dll
ModLoad: 6b3f0000 6b41e000   C:\Windows\system32\SHDOCVW.dll
ModLoad: 69f80000 6a8c5000   C:\Windows\system32\ieframe.DLL
ModLoad: 72bb0000 72bec000   C:\Windows\system32\OLEACC.dll
ModLoad: 73440000 734df000   C:\Windows\system32\SearchFolder.dll
ModLoad: 6a9e0000 6ab78000   C:\Windows\system32\NetworkExplorer.dll
ModLoad: 6b4d0000 6b4d9000   C:\Windows\system32\LINKINFO.dll
ModLoad: 74120000 7412f000   C:\Windows\system32\samcli.dll
ModLoad: 74a00000 74a12000   C:\Windows\system32\SAMLIB.dll
ModLoad: 74140000 74149000   C:\Windows\system32\netutils.dll
(9d8.c1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01d32eb0 ebx=01d1fdc8 ecx=01d2fd68 edx=00000150 esi=01d32e08
edi=01d2fde8
eip=004419c4 esp=0012ebcc ebp=0012ebe8 iopl=0         nv up ei pl zr na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010246
*** WARNING: Unable to verify checksum for SlimPDF Reader.exe
*** ERROR: Module load completed but symbols could not be loaded for SlimPDF
Reader.exe
SlimPDF_Reader+0x419c4:
004419c4 880c02          mov     byte ptr [edx+eax],cl
ds:0023:01d33000=??
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
SlimPDF_Reader+0x00000000000419c4 (Hash=0x566e1f14.0x18331e13)

User mode write access violations that are not near NULL are exploitable.

POC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17274.poc.tar.gz