CVE-2017-7442
published 2017-08-03CVE-2017-7442: Nitro Pro 11.0.3.173 allows remote attackers to execute arbitrary code via saveAs and launchURL calls with directory traversal sequences.
PriorityP271high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
40.69%
98.5th percentile
Nitro Pro 11.0.3.173 allows remote attackers to execute arbitrary code via saveAs and launchURL calls with directory traversal sequences.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gonitro | nitro_pro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for PDF files spawning HTA or EXE files dropped into C:\Windows\Temp, indicative of the two-stage payload delivery used by this exploit. ↗
- →Monitor Nitro Pro PDF Reader processes invoking saveAs() and launchURL() JavaScript API calls with directory traversal sequences, as these are the core exploit primitives. ↗
- →Detect VBScript/HTA activity originating from a PDF reader process, specifically COM object creation of Microsoft.XMLHTTP and ADODB.Stream followed by file write and wscript.shell execution. ↗
- →Alert on Nitro Pro PDF Reader version 11.0.3.173 specifically, as this is the vulnerable version targeted by the exploit. ↗
- →Detect outbound HTTP GET requests from a PDF reader process to a remote host on port 8080 fetching a .exe payload, consistent with the second-stage delivery mechanism. ↗
- →Monitor for short random-named (4-character alpha) .hta and .exe files created in C:\Windows\Temp by a PDF reader process, as the exploit uses rand_text_alpha(4) for payload naming. ↗
- ·The exploit's default URIPATH is '/' and default filename is 'msf.pdf'; defenders should not rely solely on these defaults as they are trivially changed by an attacker. ↗
- ·The HTA payload uses CSS visibility:hidden and window resizing to hide the execution window, meaning no visible UI artifact will appear to the victim. ↗
- ·The module author claims 100% reliability, meaning exploitation does not require heap spraying or timing-sensitive conditions — any opened malicious PDF will trigger the payload. ↗
- ·SSL is explicitly deregistered in the module, meaning the C2 communication will always be unencrypted HTTP, making network detection straightforward. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Nitro Pro PDF Reader 11.0.3.173 - Javascript API Code Execution (Metasploit)
exploitdb·2017-08-02
CVE-2017-7442 Nitro Pro PDF Reader 11.0.3.173 - Javascript API Code Execution (Metasploit)
Nitro Pro PDF Reader 11.0.3.173 - Javascript API Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',
'Description' => %q{
This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
PDF Reader version 11. The saveAs() Javascript API function allows for writing
arbitrary files to the file system. Additionally, the launchURL() function allows
an attacker to execute local files on the file system and bypass the security dialog
Note: This is 100% reliable.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me ', # vulnerability discovery and exploit
'Brendan Coles
Metasploit
Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution
metasploit
Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution
Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution
This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro PDF Reader version 11. The saveAs() Javascript API function allows for writing arbitrary files to the file system. Additionally, the launchURL() function allows an attacker to execute local files on the file system and bypass the security dialog Note: This is 100% reliable.
No writeups or analysis indexed.
2017-08-03
Published