Nuance PowerPDF Advanced Metadata Information Disclosure Vulnerability (low|local)

[Christopher Hudel <christopher () hudel com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vendor:
=======
Nuance Communications

Product:
========
PowerPDF Advanced Version 1.0
PowerPDF Advanced Version 1.1

Advisory Information:
=====================
Local Information Leakage / Disclosure

Severity Level:
===============
Low
 
Vulnerability Details and Impact:
=================================
The software permits the encoding/editing of meta-data such as Title,
Author, Subject, Keywords, etc.. When the information is removed or
overwritten within the interface, it appears that the previous
information is lost. However, the information remains within the PDF
file. This is a leak of potentially sensitive information after  a user
believes they have edited or removed it.

Individuals or organizations wishing to protect sensitive meta-data of a
PDF file may be unable to do so. This may cause inadvertent leakage of
information (previous authors, keywords, subjects, titles, etc..) that
an individual or organization does not wish to expose.

Exploit Methods:
================
There are no remote exploit methods for this vulnerability. The steps to
reproduce the vulnerability locally are detailed at the following
location: http://christopher.hudel.com/vulns/Nuance-CVE-Submission.pdf


Disclosure Timeline:
====================
19-Jun-2015: Emailed technical contact of the nuance.com domain
(hostmaster () nuance com) asking to be contacted regarding potential
information security vulnerability. [no response]

23-Jun-2015: Opened support ticket with Vendor. Through some periodic
email exchange, and a phone call (16-Jul-2015) to their support team,
was unable to have technical support department open the ticket and
receive information about the nature of the security vulnerability. (Was
not the volume purchase owner on record, so ability to submit the
vulnerability was denied).

01-Jul-2015: Reached out via LinkedIn to senior IT person listed in
LinkedIn for Nuance Corporation. [no response]

16-Jul-2015: Submitted vulnerability information to US-CERT. Response
was to (paraphrasing) "try harder". :)

16-Jul-2015: Submitted information and vulnerability details to
support () nuance com, security () nuance com, and media () nuance com [no
response]

08-Aug-2015: Submitted vulnerability to BugTraq mailing list.

Author / Role:
==============
Christopher Hudel / independent security researcher

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given
to the author. The author is not responsible for any misuse of the
information contained herein and prohibits any malicious use of all
security related information or exploits by the author or elsewhere.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJVzNjpAAoJENxeBkNw/wLOQCMIAKZ9X3vhD7VsRdYC1vwYEoR3
XbcJO1RUSRa1S3iS0uiXtNAc2kPoXGeCMeoN7rIL34uPjbtHUH4tHr8aqEajcj/N
4meUgaTCgBBqPundDPhYH+YaRXGYAtpd6oXqaROlHXxPm3vAulXUCgpR4+qeTMHz
vvMyt0BTKKxsSkjCICiav9GbuPF48IeFnEDb6WSZhfpzNUT1jCPAX/tDkR15D83V
fDCfhRk3nHAZ8Kl4XviD3SszVPEyaj5qJjrj60rT+Lt8Y9zV31C3FrH58EM9mc4A
6wU8PBRgXI8rA55rihJBY+x/T4xT8O50nkUdMjTqdbQ/Q9sJNA0e8VK1GjOs/C0=
=/nZC
-----END PGP SIGNATURE-----

-- 
  Christopher Hudel
  christopher () hudel com