CVE-2024-9745
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious TIF files in Tungsten Automation Power PDF. Attackers can exploit a stack-based buffer overflow during TIF file parsing to gain code execution in the context of the PDF application. All users of affected Power PDF versions are at risk.
💻 Affected Systems
- Tungsten Automation Power PDF
📦 What is this software?
Power Pdf by Tungstenautomation
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the PDF application user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to data exfiltration, malware installation, or persistence mechanisms being established on the compromised system.
If Mitigated
Application crash or denial of service if exploit attempts are blocked by security controls, with no code execution achieved.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) but the buffer overflow itself is straightforward. ZDI has confirmed the vulnerability and exploitation is likely given the RCE nature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Tungsten Automation security advisory for specific patched version
Vendor Advisory: https://www.tungstenautomation.com/security
Restart Required: Yes
Instructions:
1. Check current Power PDF version
2. Visit Tungsten Automation security advisory page
3. Download and install latest security update
4. Restart system to ensure patch is fully applied
🔧 Temporary Workarounds
Disable TIF file association
windowsRemove Power PDF as default handler for TIF files to prevent automatic opening
Control Panel > Default Programs > Set Default Programs > Select Power PDF > Choose defaults for this program > Uncheck TIF/TIFF formats
Block TIF files at perimeter
allPrevent TIF files from reaching endpoints via email or web downloads
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized PDF applications
- Use endpoint protection with exploit prevention capabilities
🔍 How to Verify
Check if Vulnerable:
Check Power PDF version against Tungsten Automation security advisory. Versions before the patched release are vulnerable.Check Version:
Open Power PDF > Help > About Power PDFVerify Fix Applied:
Verify Power PDF version matches or exceeds patched version listed in vendor advisory.📡 Detection & Monitoring
Log Indicators:
- Power PDF crash logs with TIF file references
- Unexpected child processes spawned from Power PDF
Network Indicators:
- Outbound connections from Power PDF to suspicious IPs
- DNS requests for known C2 domains from PDF process
SIEM Query:
process_name:"PowerPDF.exe" AND (event_type:crash OR child_process_count > 1)