cbcvebase.
CVE-2012-4914
published 2013-01-26

CVE-2012-4914: Stack-based buffer overflow in the reader in CoolPDF 3.0.2.256 allows remote attackers to execute arbitrary code via a PDF document with a crafted stream.

PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.39%
97.9th percentile
Stack-based buffer overflow in the reader in CoolPDF 3.0.2.256 allows remote attackers to execute arbitrary code via a PDF document with a crafted stream.

Affected

1 ranges
VendorProductVersion rangeFixed in
coolpdfcoolpdf

Detection & IOCsextracted from sources · hover to see the quote

registry0x00539fa4
bytes
\xFF\xD8\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65\x00\x64\x80\x00\x00
  • The vulnerability is triggered by a malformed PDF containing a specially crafted image stream (JPEG). Detect by inspecting PDF files for malformed/oversized image stream objects that trigger a stack buffer overflow in CoolPDF's reader component.
  • The crafted JPEG stream within the malicious PDF begins with the magic bytes FF D8 FF EE followed by a crafted Adobe header. Scan PDF image stream objects for this specific byte pattern combined with anomalous stream lengths.
  • The Metasploit exploit uses a pivot/return address of 0x00539fa4 (PPR gadget) from coolpdf.exe. A crash or EIP control at this address in coolpdf.exe is a strong indicator of exploitation.
  • The exploit uses a payload buffer offset of 433 bytes before the return address overwrite. Stack-based overflow detection rules should flag stack smashing in coolpdf.exe at this offset.
  • The Metasploit module targets Windows XP SP3 and Windows 7 SP1 with CoolPDF 3.0.2.256. Presence of coolpdf.exe version 3.0.2.256 on a host combined with PDF file open events should be flagged for review.
  • ·The Metasploit module's hardcoded return address (0x00539fa4) is specific to coolpdf.exe version 3.0.2.256 and will not work against other versions or builds, limiting the reliability of RET-address-based detection to this exact version.
  • ·The exploit payload space is limited to 2000 bytes with NOPs disabled, which constrains the shellcode that can be delivered and may affect detection rules based on NOP sled patterns (none will be present).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.