CVE-2013-10057
published 2025-08-01CVE-2013-10057: A stack-based buffer overflow vulnerability exists in Synactis PDF In-The-Box ActiveX control (PDF_IN_1.ocx), specifically the ConnectToSynactis method. When a…
PriorityP352high7.5CVSS 4.0
AVNACLATPPRNUIAVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.12%
62.2th percentile
A stack-based buffer overflow vulnerability exists in Synactis PDF In-The-Box ActiveX control (PDF_IN_1.ocx), specifically the ConnectToSynactis method. When a long string is passed to this method—intended to populate the ldCmdLine argument of a WinExec call—a strcpy operation overwrites a saved TRegistry class pointer on the stack. This allows remote attackers to execute arbitrary code in the context of the user by enticing them to visit a malicious webpage that instantiates the vulnerable ActiveX control. The vulnerability was discovered via its use in third-party software such as Logic Print 2013.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synactis | pdf_in-the-box | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for instantiation of the Synactis PDF In-The-Box ActiveX control (PDF_IN_1.ocx) from browser processes, particularly when the ConnectToSynactis method is invoked with an unusually long string argument. ↗
- →Detect WinExec calls spawning a browser process from within PDF_IN_1.ocx context; the exploit causes an additional browser window to pop up as a side effect of the WinExec call used internally by the control. ↗
- →Alert on strcpy-based stack corruption patterns in ActiveX controls loaded by Internet Explorer, specifically overwriting a saved TRegistry class pointer on the stack — a distinctive artifact of this exploit's memory corruption primitive. ↗
- →Scope detection to Internet Explorer as the default browser; the exploit requires IE as the default browser to function correctly via the WinExec ldCmdLine path. ↗
- ·The exploit is delivered via a malicious webpage that instantiates the ActiveX control; exploitation requires the victim to browse to an attacker-controlled page using Internet Explorer as the default browser. ↗
- ·The vulnerability also affects third-party software bundling the component (e.g., Logic Print 2013), meaning PDF_IN_1.ocx may be registered on systems that do not have Synactis software installed directly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/synactis_connecttosynactis_bof.rbhttps://www.exploit-db.com/exploits/25835https://www.fortiguard.com/encyclopedia/ips/35840/synactis-pdf-in-the-box-connecttosynactic-buffer-overflowhttps://www.synactis.com/pdf-in-the-box.htmhttps://www.vulncheck.com/advisories/synactis-pdf-in-the-box-connectosynactic-stack-based-buffer-overflowhttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/synactis_connecttosynactis_bof.rbhttps://www.exploit-db.com/exploits/25835
2025-08-01
Published