Unidocs ezPDF DRM Reader and ezPDF Reader Uncontrolled Search Path Vulnerability

A vulnerability exists in Unidocs ezPDF DRM Reader and ezPDF Reader versions 2.0 and 3.0.0.4 on 32-bit systems. The issue arises from an uncontrolled search path in the SHFOLDER.dll library, allowing local attackers to manipulate DLL loading. This vulnerability is complex to exploit but has a publicly available proof-of-concept exploit.

Impact

Exploitation of this vulnerability allows for local privilege escalation by hijacking the DLL search order. Malicious code can be executed with administrative rights, potentially leading to arbitrary code execution in a high-integrity process.

Reproduction

To reproduce this vulnerability, create a malicious DLL named SHFOLDER.dll and place it in the same directory as the ezPDF DRM Reader or ezPDF Reader installer. When the installer is executed with administrative privileges, the malicious DLL is loaded, and the embedded code is executed with high integrity. This process can be verified using tools like Process Monitor.

Remediation

Unidocs should be contacted for a patch. In the meantime, users can be advised to avoid using the affected versions of the software.