Nitro Pro 8 - Insecure Library Loading Allows Remote Code

SEC Consult Vulnerability Lab Security Advisory < 20130408-0 >

=======================================================================

title: Nitro Pro 8 - Insecure Library Loading Allows Remote Code

Execution (DLL Hijacking)

product: Nitro Pro

vulnerable version: 8.5.0.26; older versions may also be affected

fixed version: 8.5.2.10

CVE number: CVE-2013-2773

impact: high

homepage: www.nitropdf.com

found: 2013-03-01

by: M. Heinzl

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

From companies like Boeing® and IBM® to small home businesses with just a few

staff, millions of people worldwide use Nitro Products — like Nitro Pro and

Nitro Reader — to make PDF easy.

Australian-founded in 2005, we're headquartered in downtown San Francisco with

offices in Melbourne, Australia and Nitra Slovakia.

 

Source: www.nitropdf.com/about

 

 

Vulnerability overview/description:

-----------------------------------

Nitro Pro is prone to a vulnerability that lets attackers execute arbitrary

code. An attacker can exploit this issue by enticing a legitimate user to use

the vulnerable application to open a file from a remote WebDAV or SMB share

which contains a specially crafted DLL.

 

Affected DLL: bcgcbproresen.dll (tested on Windows 8)

 

 

Proof of concept:

-----------------

Create a DLL with desired code, name it bcgcbproresen.dll and place it within

the same folder as a *.pdf or *.fdf file.

 

 

Vulnerable / tested versions:

-----------------------------

Nitro Pro 8.5.0.26; older versions may also be affected

 

 

Vendor contact timeline:

------------------------

2013-03-01: Contacting vendor through www.nitropdf.com/support/ticket

2013-03-01: Vendor replies

2013-03-01: Forwarded security advisory

2013-03-01: vendor replies

2013-03-01: Provided again contact details

2013-03-08: Contaced vendor again to inquire status

2013-03-13: Vendor replies that they are working on a hotfix

2013-03-14: Confirmed receipt of last email

2013-03-27: Contaced vendor again to inquire status

2013-04-02: Vendor replied that a patch was released on 2013-03-28 which fixes

the vulnerability (version 8.5.2.10)

2013-04-02: Confirmed receipt of last email and coordinated public disclosure

of advisory for 2013-04-08

2013-04-08: SEC Consult releases coordinated security advisory.

 

 

Solution:

---------

Update to version 8.5.2.10.

 

 

Workaround:

-----------

-

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

blog.sec-consult.com

 

EOF M. Heinzl / @2013