cbcvebase.
CVE-2018-7264
published 2018-02-28

CVE-2018-7264: The Pictview image processing library embedded in the ActivePDF toolkit through 2018.1.0.18321 is prone to multiple out of bounds write and sign errors…

PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.99%
95.8th percentile
The Pictview image processing library embedded in the ActivePDF toolkit through 2018.1.0.18321 is prone to multiple out of bounds write and sign errors, allowing a remote attacker to execute arbitrary code on vulnerable applications using the ActivePDF Toolkit to process untrusted images.

Affected

1 ranges
VendorProductVersion rangeFixed in
activepdfactivepdf_toolkit< 8.1.0.190238.1.0.19023

Detection & IOCsextracted from sources · hover to see the quote

bytes
header = pack("IIIIIII", 0x59A66A95, 0x100, 1, 8, 0, 2, 1)
bytes
header = "\x00\x01\x00"
  • Exploit targets the Pictview image processing library embedded in ActivePDF Toolkit; monitor for processing of untrusted .iff, .ras, and .bpx/.tga image files through ActivePDF Toolkit versions through 2018.1.0.18321
  • Exploit PoC crafts malicious IFF, Sun Raster (.ras), and Truevision Targa (.bpx) image files with oversized or sign-manipulated fields to trigger out-of-bounds write; detect anomalous image files with magic bytes 0x59A66A95 (Sun Raster) submitted to ActivePDF processing endpoints
  • Successful exploitation results in EIP control with value 0x41414141 (AAAA); monitor for crashes or access violations in ActivePDF Toolkit processes with EIP=41414141
  • Affected file types include Zoner Draw images (.zmf, .zbr) and Truevision Targa images (.bpx); flag submission of these file types to ActivePDF Toolkit for inspection
  • Affected file types include Truevision Targa images (.bpx); flag submission of these file types to ActivePDF Toolkit for inspection
  • ·This fix also addresses the related ZDI-16-354 vulnerability, as both shared the same Pictview library component

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.