Nitro Pro 8 Insecure Library Loading

`SEC Consult Vulnerability Lab Security Advisory < 20130408-0 >  
=======================================================================  
title: Nitro Pro 8 - Insecure Library Loading Allows Remote Code  
Execution (DLL Hijacking)  
product: Nitro Pro  
vulnerable version: 8.5.0.26; older versions may also be affected  
fixed version: 8.5.2.10  
CVE number: CVE-2013-2773  
impact: high  
homepage: http://www.nitropdf.com/  
found: 2013-03-01  
by: M. Heinzl  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-------------------  
>From companies like Boeing® and IBM® to small home businesses with just a few  
staff, millions of people worldwide use Nitro Products — like Nitro Pro and  
Nitro Reader — to make PDF easy.  
Australian-founded in 2005, we're headquartered in downtown San Francisco with  
offices in Melbourne, Australia and Nitra Slovakia.  
  
Source: http://www.nitropdf.com/about  
  
  
Vulnerability overview/description:  
-----------------------------------  
Nitro Pro is prone to a vulnerability that lets attackers execute arbitrary  
code. An attacker can exploit this issue by enticing a legitimate user to use  
the vulnerable application to open a file from a remote WebDAV or SMB share  
which contains a specially crafted DLL.  
  
Affected DLL: bcgcbproresen.dll (tested on Windows 8)  
  
  
Proof of concept:  
-----------------  
Create a DLL with desired code, name it bcgcbproresen.dll and place it within  
the same folder as a *.pdf or *.fdf file.  
  
  
Vulnerable / tested versions:  
-----------------------------  
Nitro Pro 8.5.0.26; older versions may also be affected  
  
  
Vendor contact timeline:  
------------------------  
2013-03-01: Contacting vendor through http://www.nitropdf.com/support/ticket  
2013-03-01: Vendor replies  
2013-03-01: Forwarded security advisory  
2013-03-01: vendor replies  
2013-03-01: Provided again contact details  
2013-03-08: Contaced vendor again to inquire status  
2013-03-13: Vendor replies that they are working on a hotfix  
2013-03-14: Confirmed receipt of last email  
2013-03-27: Contaced vendor again to inquire status  
2013-04-02: Vendor replied that a patch was released on 2013-03-28 which fixes  
the vulnerability (version 8.5.2.10)  
2013-04-02: Confirmed receipt of last email and coordinated public disclosure  
of advisory for 2013-04-08  
2013-04-08: SEC Consult releases coordinated security advisory.  
  
  
Solution:  
---------  
Update to version 8.5.2.10.  
  
  
Workaround:  
-----------  
-  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Austria  
  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
https://www.sec-consult.com  
http://blog.sec-consult.com  
  
EOF M. Heinzl / @2013  
  
  
`