Nitro Pro 8 Insecure Library Loading Allows Remote Code Execution (DLL Hijacking)

Credit: M. Heinzl
Risk: High
Local: No
Remote: Yes

SEC Consult Vulnerability Lab Security Advisory < 20130408-0 > ======================================================================= title: Nitro Pro 8 - Insecure Library Loading Allows Remote Code Execution (DLL Hijacking) product: Nitro Pro vulnerable version:; older versions may also be affected fixed version: CVE number: CVE-2013-2773 impact: high homepage: found: 2013-03-01 by: M. Heinzl SEC Consult Vulnerability Lab ======================================================================= Vendor description: ------------------- From companies like Boeing and IBM to small home businesses with just a few staff, millions of people worldwide use Nitro Products &#8212; like Nitro Pro and Nitro Reader &#8212; to make PDF easy. Australian-founded in 2005, we're headquartered in downtown San Francisco with offices in Melbourne, Australia and Nitra Slovakia. Source: Vulnerability overview/description: ----------------------------------- Nitro Pro is prone to a vulnerability that lets attackers execute arbitrary code. An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a remote WebDAV or SMB share which contains a specially crafted DLL. Affected DLL: bcgcbproresen.dll (tested on Windows 8) Proof of concept: ----------------- Create a DLL with desired code, name it bcgcbproresen.dll and place it within the same folder as a *.pdf or *.fdf file. Vulnerable / tested versions: ----------------------------- Nitro Pro; older versions may also be affected Vendor contact timeline: ------------------------ 2013-03-01: Contacting vendor through 2013-03-01: Vendor replies 2013-03-01: Forwarded security advisory 2013-03-01: vendor replies 2013-03-01: Provided again contact details 2013-03-08: Contaced vendor again to inquire status 2013-03-13: Vendor replies that they are working on a hotfix 2013-03-14: Confirmed receipt of last email 2013-03-27: Contaced vendor again to inquire status 2013-04-02: Vendor replied that a patch was released on 2013-03-28 which fixes the vulnerability (version 2013-04-02: Confirmed receipt of last email and coordinated public disclosure of advisory for 2013-04-08 2013-04-08: SEC Consult releases coordinated security advisory. Solution: --------- Update to version Workaround: ----------- - Advisory URL: ------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com EOF M. Heinzl / @2013


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top