PDF-Pro multiple vulnerabilities

Several vulnerabilities in PDF-Pro can be exploited by malicious people to compromise a user’s system, according to Secunia.

1. The application loads libraries (e.g. dwmapi.dll) in an insecure manner, which can be exploited to load arbitrary libraries by tricking a user into e.g. opening a PDF file located on a remote WebDAV or SMB share.

2. A boundary error in the bundled PDF Reader ActiveX control (ePapyrusReader.ocx) when handling arguments passed to the “open()” method can be exploited to cause a stack-based buffer overflow.

3. Two boundary errors in ePapyrusReader.ocx when handling arguments passed to the “open_stream()” method can be exploited to cause heap-based buffer overflows.

4. A use-after-free error in ePapyrusReader.ocx when handling arguments passed to the “open_stream()” method can be exploited to dereference already freed memory.

5. A use-after-free error in ePapyrusReader.ocx when encountering corrupted arrays in a dictionary can be exploited to dereference already freed memory via a specially crafted PDF file.

6. The unsafe “RemoveFile()” method provided by ePapyrusReader.ocx allows deleting arbitrary files on a user’s system.

7. The unsafe “DownloadFTP()” method in combination with the “SetFTPInfo()” method provided by ePapyrusReader.ocx allows downloading arbitrary files to a user’s system.

8. The unsafe “UploadFTP” method in combination with the “SetFTPInfo()” method provided by ePapyrusReader.ocx allows retrieving arbitrary files from a user’s system.

The vulnerabilities are confirmed in version 4.0.1.758 bundling ePapyrusReader.ocx version 1.6.2.1874. Other versions may also be affected.

Solution: Set the kill-bit for the affected ActiveX control and do not open untrusted PDF files.