SRC-2017-0005 : Nitro PDF Pro Doc.saveAs and App.launchURL Remote Code Execution Vulnerabilities

CVE ID:

CVE-2017-7442

CVSS Score:

6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Affected Vendors:

Nitro

Affected Products:

Nitro PDF Reader & Nitro Reader Pro

Vulnerability Details:

These vulnerabilities allow remote attackers to execute arbitrary code on vulnerable installations of Nitro PDF Reader and Nitro PDF Reader Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The Doc.saveAs function can be used to write arbitrary files on to the targeted system. Additionally the App.launchURL security dialog can be bypassed by injecting a '$' character into the URI path. An attacker could leverage these vulnerabilities to execute arbitrary code under the context of the current process.

Vendor Response:

Nitro has issued an update to correct these vulnerabilities. More details can be found at:
https://www.gonitro.com/product/downloads#securityUpdates

Disclosure Timeline:

  • 2017-04-05 – Verified and acquired by Beyond Security
  • 2017-07-23 – Coordinated public release of advisory

Proof of Concept:

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/nitro_reader_jsapi.rb

Credit:

This vulnerability was discovered by Steven Seeley of Source Incite

Acknowledgments:

Source Incite would like to acknowledge Beyond Security’s SSD program for the help with co-ordination of this vulnerability. More details can be found on their blog at https://blogs.securiteam.com/index.php/archives/3251.