cbcvebase.
CVE-2017-7442
published 2017-08-03

CVE-2017-7442: Nitro Pro 11.0.3.173 allows remote attackers to execute arbitrary code via saveAs and launchURL calls with directory traversal sequences.

PriorityP271high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
40.69%
98.5th percentile
Nitro Pro 11.0.3.173 allows remote attackers to execute arbitrary code via saveAs and launchURL calls with directory traversal sequences.

Affected

1 ranges
VendorProductVersion rangeFixed in
gonitronitro_pro

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.pdf
pathC:/Windows/Temp
filename*.hta
filename*.exe
commandsaveAs()
commandlaunchURL()
urlhttp://srcincite.io/advisories/src-2017-0005/
urlhttps://blogs.securiteam.com/index.php/archives/3251
processwscript.shell
processMicrosoft.XMLHTTP
processADODB.Stream
  • Look for PDF files spawning HTA or EXE files dropped into C:\Windows\Temp, indicative of the two-stage payload delivery used by this exploit.
  • Monitor Nitro Pro PDF Reader processes invoking saveAs() and launchURL() JavaScript API calls with directory traversal sequences, as these are the core exploit primitives.
  • Detect VBScript/HTA activity originating from a PDF reader process, specifically COM object creation of Microsoft.XMLHTTP and ADODB.Stream followed by file write and wscript.shell execution.
  • Alert on Nitro Pro PDF Reader version 11.0.3.173 specifically, as this is the vulnerable version targeted by the exploit.
  • Detect outbound HTTP GET requests from a PDF reader process to a remote host on port 8080 fetching a .exe payload, consistent with the second-stage delivery mechanism.
  • Monitor for short random-named (4-character alpha) .hta and .exe files created in C:\Windows\Temp by a PDF reader process, as the exploit uses rand_text_alpha(4) for payload naming.
  • ·The exploit's default URIPATH is '/' and default filename is 'msf.pdf'; defenders should not rely solely on these defaults as they are trivially changed by an attacker.
  • ·The HTA payload uses CSS visibility:hidden and window resizing to hide the execution window, meaning no visible UI artifact will appear to the victim.
  • ·The module author claims 100% reliability, meaning exploitation does not require heap spraying or timing-sensitive conditions — any opened malicious PDF will trigger the payload.
  • ·SSL is explicitly deregistered in the module, meaning the C2 communication will always be unencrypted HTTP, making network detection straightforward.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.