CVE-2012-4914
published 2013-01-26CVE-2012-4914: Stack-based buffer overflow in the reader in CoolPDF 3.0.2.256 allows remote attackers to execute arbitrary code via a PDF document with a crafted stream.
PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.39%
97.9th percentile
Stack-based buffer overflow in the reader in CoolPDF 3.0.2.256 allows remote attackers to execute arbitrary code via a PDF document with a crafted stream.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| coolpdf | coolpdf | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xFF\xD8\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65\x00\x64\x80\x00\x00
- →The vulnerability is triggered by a malformed PDF containing a specially crafted image stream (JPEG). Detect by inspecting PDF files for malformed/oversized image stream objects that trigger a stack buffer overflow in CoolPDF's reader component. ↗
- →The crafted JPEG stream within the malicious PDF begins with the magic bytes FF D8 FF EE followed by a crafted Adobe header. Scan PDF image stream objects for this specific byte pattern combined with anomalous stream lengths. ↗
- →The Metasploit exploit uses a pivot/return address of 0x00539fa4 (PPR gadget) from coolpdf.exe. A crash or EIP control at this address in coolpdf.exe is a strong indicator of exploitation. ↗
- →The exploit uses a payload buffer offset of 433 bytes before the return address overwrite. Stack-based overflow detection rules should flag stack smashing in coolpdf.exe at this offset. ↗
- →The Metasploit module targets Windows XP SP3 and Windows 7 SP1 with CoolPDF 3.0.2.256. Presence of coolpdf.exe version 3.0.2.256 on a host combined with PDF file open events should be flagged for review. ↗
- ·The Metasploit module's hardcoded return address (0x00539fa4) is specific to coolpdf.exe version 3.0.2.256 and will not work against other versions or builds, limiting the reliability of RET-address-based detection to this exact version. ↗
- ·The exploit payload space is limited to 2000 bytes with NOPs disabled, which constrains the shellcode that can be delivered and may affect detection rules based on NOP sled patterns (none will be present). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Cool PDF Image Stream - Remote Buffer Overflow (Metasploit)
exploitdb·2013-03-22
CVE-2012-4914 Cool PDF Image Stream - Remote Buffer Overflow (Metasploit)
Cool PDF Image Stream - Remote Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Cool PDF Image Stream Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Cool PDF Reader prior to version
3.0.2.256. The vulnerability is triggered when opening a malformed PDF file that
contains a specially crafted image stream. This module has been tested successfully
on Cool PDF 3.0.2.256 over Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Francis Provencher', # Vulnerability discovery
Exploit-DB
Cool PDF Reader 3.0.2.256 - Buffer Overflow
exploitdb·2013-02-07·CVSS 9.3
CVE-2012-4914 [CRITICAL] Cool PDF Reader 3.0.2.256 - Buffer Overflow
Cool PDF Reader 3.0.2.256 - Buffer Overflow
---
# Exploit Title: Cool PDF Reader 3.0.2.256 buffer overflow
# Vulnerability Disclosed to US-CERT by Chris Gabriel: 11-20-2012
# Emailed vendor: 12-4-2012
# Francis Provencher discovered vulnerability and reported to Secunia: 12-19-2012
# Vulnerability Discovery: Francis Provencher (Protek Research Lab's) @ProtekResearch
# Vulnerability Discovery: Chris Gabriel
# Exploit Author: Chris Gabriel
# Vendor Homepage: http://www.pdf2exe.com/reader.html
# Version: CoolPDF 3.0.2.256
# Tested on: Windows XP SP3
# CVE: CVE-2012-4914
# Reference: http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=70&Itemid=70
# Reference: http://secunia.com/advisories/51602
PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/m
Metasploit
Cool PDF Image Stream Buffer Overflow
metasploit
Cool PDF Image Stream Buffer Overflow
Cool PDF Image Stream Buffer Overflow
This module exploits a stack buffer overflow in Cool PDF Reader prior to version 3.0.2.256. The vulnerability is triggered when opening a malformed PDF file that contains a specially crafted image stream. This module has been tested successfully on Cool PDF 3.0.2.256 over Windows XP SP3 and Windows 7 SP1.
No writeups or analysis indexed.
2013-01-26
Published