CVE-2023-38083
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious JP2 files in Kofax Power PDF. The flaw exists in JP2 file parsing where improper data validation leads to out-of-bounds writes. Affected users include anyone using vulnerable versions of Kofax Power PDF who opens untrusted JP2 files.
💻 Affected Systems
- Kofax Power PDF
📦 What is this software?
Power Pdf by Tungstenautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the PDF application user, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Local privilege escalation or malware execution within the user context, potentially leading to credential theft or data exfiltration.
If Mitigated
Application crash or denial of service if exploit fails, with potential data loss from corrupted files.
🎯 Exploit Status
Exploitation requires crafting malicious JP2 files but no authentication needed. ZDI-CAN-20489 identifier suggests detailed research exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest version from Kofax (specific version not provided in references)
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-23-961/
Restart Required: Yes
Instructions:
1. Open Kofax Power PDF
2. Navigate to Help > Check for Updates
3. Follow prompts to install latest version
4. Restart application and system if prompted
🔧 Temporary Workarounds
Disable JP2 file association
windowsRemove JP2 file type association with Kofax Power PDF to prevent automatic opening
Control Panel > Default Programs > Associate a file type or protocol with a program > Select .jp2 > Change program > Choose different application
Block JP2 files at perimeter
allFilter JP2 files at email gateways and web proxies
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized executables from running
- Use sandboxed environments for opening untrusted PDF files
🔍 How to Verify
Check if Vulnerable:
Check Kofax Power PDF version against latest patched version from vendor websiteCheck Version:
In Kofax Power PDF: Help > About Power PDFVerify Fix Applied:
Verify application version is updated to latest release and test with known safe JP2 files📡 Detection & Monitoring
Log Indicators:
- Application crashes when opening JP2 files
- Unexpected child processes spawned from PDF application
Network Indicators:
- Outbound connections from PDF application to unusual destinations
- DNS requests for command and control domains
SIEM Query:
Process Creation where ParentImage contains 'PowerPDF' AND (CommandLine contains '.jp2' OR Image contains unusual executable names)