Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Nitro Pro 8 Insecure Library Loading

Related Vulnerabilities: CVE-2013-2773  
Publish Date: 09 Apr 2013
Author: M. Heinzl, sec-consult.com
Source 
                							

                SEC Consult Vulnerability Lab Security Advisory < 20130408-0 >
=======================================================================
              title: Nitro Pro 8 - Insecure Library Loading Allows Remote Code
                     Execution (DLL Hijacking)
            product: Nitro Pro
 vulnerable version: 8.5.0.26; older versions may also be affected
      fixed version: 8.5.2.10
         CVE number: CVE-2013-2773
             impact: high
           homepage: http://www.nitropdf.com/
              found: 2013-03-01
                 by: M. Heinzl
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
>From companies like Boeing® and IBM® to small home businesses with just a few
staff, millions of people worldwide use Nitro Products — like Nitro Pro and
Nitro Reader — to make PDF easy.
Australian-founded in 2005, we're headquartered in downtown San Francisco with
offices in Melbourne, Australia and Nitra Slovakia.

Source: http://www.nitropdf.com/about


Vulnerability overview/description:
-----------------------------------
Nitro Pro is prone to a vulnerability that lets attackers execute arbitrary
code. An attacker can exploit this issue by enticing a legitimate user to use
the vulnerable application to open a file from a remote WebDAV or SMB share
which contains a specially crafted DLL.

Affected DLL: bcgcbproresen.dll (tested on Windows 8)


Proof of concept:
-----------------
Create a DLL with desired code, name it bcgcbproresen.dll and place it within
the same folder as a *.pdf or *.fdf file.


Vulnerable / tested versions:
-----------------------------
Nitro Pro 8.5.0.26; older versions may also be affected


Vendor contact timeline:
------------------------
2013-03-01: Contacting vendor through http://www.nitropdf.com/support/ticket
2013-03-01: Vendor replies
2013-03-01: Forwarded security advisory
2013-03-01: vendor replies
2013-03-01: Provided again contact details
2013-03-08: Contaced vendor again to inquire status
2013-03-13: Vendor replies that they are working on a hotfix
2013-03-14: Confirmed receipt of last email
2013-03-27: Contaced vendor again to inquire status
2013-04-02: Vendor replied that a patch was released on 2013-03-28 which fixes
            the vulnerability (version 8.5.2.10)
2013-04-02: Confirmed receipt of last email and coordinated public disclosure
            of advisory for 2013-04-08
2013-04-08: SEC Consult releases coordinated security advisory.


Solution:
---------
Update to version 8.5.2.10.


Workaround:
-----------
-


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com
http://blog.sec-consult.com

EOF M. Heinzl / @2013


<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started