Synactis PDF In-The-Box ActiveX Control Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in the Synactis PDF In-The-Box ActiveX control, specifically in the PDF_IN_1.ocx file. The issue arises in the ConnectToSynactis method, where a long string can be passed to the ldCmdLine argument, intended for a WinExec call. This creates a strcpy operation that overwrites a saved pointer to a TRegistry class on the stack, allowing remote attackers to execute arbitrary code in the context of the user. The vulnerability can be exploited by tricking the user into visiting a malicious webpage that loads the vulnerable ActiveX control. This issue was discovered through its exploitation in third-party software, such as Logic Print 2013.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system, with the executed code running in the context of the user.

Reproduction

To reproduce this vulnerability, a webpage must be created that includes the Synactis PDF In-The-Box ActiveX control. This can be done by embedding an OBJECT element with the appropriate class ID for the ActiveX control. The ConnectToSynactis method can then be called with a crafted payload that includes a long string, overwriting the stack and leading to arbitrary code execution. This exploitation can be automated using a Metasploit module that handles the payload delivery and exploitation process.