SRC-2017-0005 : Nitro PDF Pro Doc.saveAs and App.launchURL Remote Code Execution Vulnerabilities
Nitro PDF Reader & Nitro Reader Pro
These vulnerabilities allow remote attackers to execute arbitrary code on vulnerable installations of Nitro PDF Reader and Nitro PDF Reader Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The Doc.saveAs function can be used to write arbitrary files on to the targeted system. Additionally the App.launchURL security dialog can be bypassed by injecting a '$' character into the URI path. An attacker could leverage these vulnerabilities to execute arbitrary code under the context of the current process.
Nitro has issued an update to correct these vulnerabilities. More details can be found at:
- 2017-04-05 – Verified and acquired by Beyond Security
- 2017-07-23 – Coordinated public release of advisory
Proof of Concept:
This vulnerability was discovered by Steven Seeley of Source Incite
Source Incite would like to acknowledge Beyond Security’s SSD program for the help with co-ordination of this vulnerability. More details can be found on their blog at https://blogs.securiteam.com/index.php/archives/3251.