Nitro Pro 8 - Insecure Library Loading Allows Remote Code

SEC Consult Vulnerability Lab Security Advisory < 20130408-0 >


title: Nitro Pro 8 - Insecure Library Loading Allows Remote Code

Execution (DLL Hijacking)

product: Nitro Pro

vulnerable version:; older versions may also be affected

fixed version:

CVE number: CVE-2013-2773

impact: high


found: 2013-03-01

by: M. Heinzl

SEC Consult Vulnerability Lab



Vendor description:


From companies like Boeing® and IBM® to small home businesses with just a few

staff, millions of people worldwide use Nitro Products — like Nitro Pro and

Nitro Reader — to make PDF easy.

Australian-founded in 2005, we're headquartered in downtown San Francisco with

offices in Melbourne, Australia and Nitra Slovakia.





Vulnerability overview/description:


Nitro Pro is prone to a vulnerability that lets attackers execute arbitrary

code. An attacker can exploit this issue by enticing a legitimate user to use

the vulnerable application to open a file from a remote WebDAV or SMB share

which contains a specially crafted DLL.


Affected DLL: bcgcbproresen.dll (tested on Windows 8)



Proof of concept:


Create a DLL with desired code, name it bcgcbproresen.dll and place it within

the same folder as a *.pdf or *.fdf file.



Vulnerable / tested versions:


Nitro Pro; older versions may also be affected



Vendor contact timeline:


2013-03-01: Contacting vendor through

2013-03-01: Vendor replies

2013-03-01: Forwarded security advisory

2013-03-01: vendor replies

2013-03-01: Provided again contact details

2013-03-08: Contaced vendor again to inquire status

2013-03-13: Vendor replies that they are working on a hotfix

2013-03-14: Confirmed receipt of last email

2013-03-27: Contaced vendor again to inquire status

2013-04-02: Vendor replied that a patch was released on 2013-03-28 which fixes

the vulnerability (version

2013-04-02: Confirmed receipt of last email and coordinated public disclosure

of advisory for 2013-04-08

2013-04-08: SEC Consult releases coordinated security advisory.





Update to version








Advisory URL:





SEC Consult Unternehmensberatung GmbH


Office Vienna

Mooslackengasse 17

A-1190 Vienna



Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com


EOF M. Heinzl / @2013