PDF Explorer Structured Exception Handler Overflow Vulnerability Allowing Local Code Execution

A buffer overflow vulnerability has been identified in PDF Explorer version 1.5.66.2, specifically within the structured exception handler (SEH) management. This vulnerability allows local attackers to execute arbitrary code by overwriting SEH records with crafted data. Exploitation involves creating a payload that includes the buffer overflow, a non-standard SEH (NSEH) jump, and return-oriented programming (ROP) gadget chains. These payloads are executed when the 'Custom fields settings' dialog processes the malicious input in the 'Label' field.

Impact

Exploitation of this vulnerability leads to arbitrary code execution with the privileges of the user running PDF Explorer.

Reproduction

To reproduce this vulnerability, first create a payload that exploits the SEH overflow by overwriting the SEH record with a ROP gadget that can execute code, such as launching the calculator application. This can be done using a Python script that generates the payload and saves it to a text file. After creating the payload, open PDF Explorer and navigate to 'Database' > 'Custom fields settings'. Paste the payload into the 'Label' field. Once the malicious input is processed, the crafted payload will execute, in this case in the form of opening the calculator.