SEC Consult Vulnerability Lab Security Advisory < 20130408-0 > ======================================================================= title: Nitro Pro 8 - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking) product: Nitro Pro vulnerable version: 8.5.0.26; older versions may also be affected fixed version: 8.5.2.10 CVE number: CVE-2013-2773 impact: high homepage: http://www.nitropdf.com/ found: 2013-03-01 by: M. Heinzl SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- >From companies like Boeing® and IBM® to small home businesses with just a few staff, millions of people worldwide use Nitro Products — like Nitro Pro and Nitro Reader — to make PDF easy. Australian-founded in 2005, we're headquartered in downtown San Francisco with offices in Melbourne, Australia and Nitra Slovakia. Source: http://www.nitropdf.com/about Vulnerability overview/description: ----------------------------------- Nitro Pro is prone to a vulnerability that lets attackers execute arbitrary code. An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a remote WebDAV or SMB share which contains a specially crafted DLL. Affected DLL: bcgcbproresen.dll (tested on Windows 8) Proof of concept: ----------------- Create a DLL with desired code, name it bcgcbproresen.dll and place it within the same folder as a *.pdf or *.fdf file. Vulnerable / tested versions: ----------------------------- Nitro Pro 8.5.0.26; older versions may also be affected Vendor contact timeline: ------------------------ 2013-03-01: Contacting vendor through http://www.nitropdf.com/support/ticket 2013-03-01: Vendor replies 2013-03-01: Forwarded security advisory 2013-03-01: vendor replies 2013-03-01: Provided again contact details 2013-03-08: Contaced vendor again to inquire status 2013-03-13: Vendor replies that they are working on a hotfix 2013-03-14: Confirmed receipt of last email 2013-03-27: Contaced vendor again to inquire status 2013-04-02: Vendor replied that a patch was released on 2013-03-28 which fixes the vulnerability (version 8.5.2.10) 2013-04-02: Confirmed receipt of last email and coordinated public disclosure of advisory for 2013-04-08 2013-04-08: SEC Consult releases coordinated security advisory. Solution: --------- Update to version 8.5.2.10. Workaround: ----------- - Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com http://blog.sec-consult.com EOF M. Heinzl / @2013