SSD Advisory – Nitro Pro PDF Multiple Vulnerabilities

Credit to Author: SSD / Maor Schwartz| Date: Mon, 24 Jul 2017 05:25:58 +0000

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describes three vulnerabilities found in Nitro / Nitro Pro PDF.

Nitro Pro is the PDF reader and editor that does everything you will ever need to do with PDF files. The powerful but snappy editor lets you change PDF documents with ease, and comes with a built-in OCR engine that can transform scanned documents into editable files. Fill up forms, annotate and sign them as part of your workflow, and easily merge multiple documents or delete selected pages as necessary.

If you use a large display or multiple monitors, NitroPDF also offers the ability to display PDF documents side-by-side so that you can pore through multiple documents. Of course, you could use AquaSnap to do that.

The vulnerabilities found in Nitro PDF are:

  • Doc.saveAs Directory Traversal Arbitrary File Write that lead to Command Execution
  • App.launchURL Command Execution
  • JPEG2000 npdf.dll Use-After-Free
  • Forms Parsing NPForms.npp Use-After-Free
  • File Parsing Count Field npdf.dll Memory Corruption
  • NewWindow Launch Action NPActions.npp Command
  • URI Action NPActions.npp Command Execution

This report contain the following vulnerabilities:

  • Doc.saveAs Directory Traversal Arbitrary File Write that lead to Command Execution
  • App.launchURL Command Execution
  • JPEG2000 npdf.dll Use-After-Free

Credit
Two independent security researchers have reported these vulnerabilities to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
The vendor has released patches to address this vulnerability. “Number of the reported vulnerabilities have been resolved and confirmed, and will included in our next release of Nitro Pro, 11.05.”

For more details: https://www.gonitro.com/support/downloads#securityUpdates

Vulnerabilities Details

Doc.saveAs Directory Traversal Arbitrary File Write that lead to Command Execution
The Doc.saveAs function does not validate either the file extension, the content of the PDF or if the path contains traversals before saving it to disk.

An attacker can leverage this to write a malicious file to the operating system in any path. This alone can be used to achieve remote code execution by writing into the users startup folder.

App.launchURL Command Execution
The App.launchURL function allows an attacker to execute commands with the privileges of the currently running user. However, a security alert or warning is typically triggered when doing so.

This can be bypassed if a $ sign is used within the path. Note that if an attacker does this, they will execute the file from the current directory, which may not be ideal for exploitation.

Also note, that the App.launchURL function does not filter for space characters such as carriage return and line feeds. This can allow an attacker to spoof the file /url being launched.

Doc.saveAs and App.launchURL Remote Code Execution Proof of Concept

JPEG2000 npdf.dll Use-After-Free
When parsing a malformed embedded JPEG2000 image into a PDF the process will destroy an object in memory, forcing a pointer to be reused after it has been free. The reuse functions are located in the npdf.dll.

when browsing a folder with the mutated files and attaching to the newly launched dllhost.exe, WinDbg will show:

When opening the file with Nitro PDF Reader 32 BIT, WinDbg will show ex. :

eip is overwritten with random memory.

Disassembly of the prior call:

call stack:

reuse function, npdf.dll:

Print Friendly

https://blogs.securiteam.com/index.php/feed