Talos Vulnerability Report

TALOS-2016-0218

Nitro Pro PDF Handling Code Execution Vulnerability

February 3, 2017
CVE Number

CVE-2016-8709

Summary

A remote out of bound write / memory corruption vulnerability exists in the PDF parsing functionality of Nitro Pro 10. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific PDF file to trigger this vulnerability.

Tested Versions

  • Nitro Pro 10.5.9.9 (Nitro PDF Library - 10, 5, 9, 9) - x64 version

Product URLs

http://gonitro.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

An remote memory corruption vulnerability exists in the PDF parsing functionality of Nitro Pro. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption.

Vulnerable code is located in the npdf.dll library:

.text:000000000011B3F8                 mov     eax, edx
.text:000000000011B3FA                 lea     rcx, [rax+rax*2]
.text:000000000011B3FE                 lea     r8, ds:0[rcx*8]
.text:000000000011B406                 mov     r9, [rsp+5B8h+var_570]
.text:000000000011B40B                 mov     rax, [r9+60h]
.text:000000000011B40F                 mov     [r8+rax], rsi        ;   memory corruption
.text:000000000011B413                 mov     rax, [r9+60h]
.text:000000000011B417                 mov     [r8+rax+8], edx
.text:000000000011B41C                 inc     edx
.text:000000000011B41E                 cmp     edx, ebx
.text:000000000011B420                 jnb     short loc_11B453
.text:000000000011B422                 lea     rcx, [rdx+rdx*2]
.text:000000000011B426                 shl     rcx, 3
.text:000000000011B42A                 mov     eax, ebx
.text:000000000011B42C                 sub     eax, edx
.text:000000000011B42E                 mov     edx, eax

The r8 value at 0x000000000011B40F can be partially controlled by the data in the malformed PDF file.

Crash Information

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for J:\nitro\plug_ins\NPRedaction.npp
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for J:\nitro\plug_ins\NPRedaction.npp -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for NitroPDF.exe -

FAULTING_IP:
npdf!TerminateApp+54caf
000007fe`d61fb40f 49893400        mov     qword ptr [r8+rax],rsi

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007fed61fb40f (npdf!TerminateApp+0x0000000000054caf)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 000000180f1212a8
Attempt to write to address 000000180f1212a8

CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
rax=000000000f121320 rbx=0000000000000000 rcx=00000002fffffff1
rdx=00000000fffffffb rsi=0409002400000000 rdi=0407002300000000
rip=000007fed61fb40f rsp=000000000110bad0 rbp=000007fed6a19b28
 r8=00000017ffffff88  r9=000007fed6e179f0 r10=0000000000000005
r11=000000000110bbf0 r12=000000000000003b r13=000007fed6e179f0
r14=0000000000000005 r15=0000000005520b9a
iopl=0         nv up ei ng nz ac po cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010297
npdf!TerminateApp+0x54caf:
000007fe`d61fb40f 49893400        mov     qword ptr [r8+rax],rsi ds:00000018`0f1212a8=????????????????

FAULTING_THREAD:  000000000000e4d4

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

PROCESS_NAME:  NitroPDF.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  000000180f1212a8

WRITE_ADDRESS:  000000180f1212a8

FOLLOWUP_IP:
npdf!TerminateApp+54caf
000007fe`d61fb40f 49893400        mov     qword ptr [r8+rax],rsi

DETOURED_IMAGE: 1

NTGLOBALFLAG:  470

APPLICATION_VERIFIER_FLAGS:  0

APP:  nitropdf.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE

LAST_CONTROL_TRANSFER:  from 000007fed62026b7 to 000007fed61fb40f

STACK_TEXT:
00000000`0110bad0 000007fe`d62026b7 : 00000000`00000000 00000000`0d5c5d80 00000000`0d5c5d80 000007fe`d6215cca : npdf!TerminateApp+0x54caf
00000000`0110c090 000007fe`d3883f08 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : npdf!TerminateApp+0x5bf57
00000000`0110c0e0 000007fe`d3893454 : 04090004`00000000 00000000`0d5b79d0 00000001`3f350000 000007fe`d6e179f0 : NPRedaction+0x3f08
00000000`0110c580 00000001`3f48daf4 : 00000000`0110d780 00000000`0110d780 00000001`3f350000 00000000`00000000 : NPRedaction+0x13454
00000000`0110ca10 00000001`3f4a198a : 00000000`00000000 00000000`0110d3d0 00000000`016d04d6 00000000`0d5d2220 : NitroPDF!CxMemFile::Scanf+0x91af4
00000000`0110d2e0 00000001`3f46f27b : 00000000`00000000 000007fe`000003ed 00000000`0d5b79d0 00000000`0000001e : NitroPDF!CxMemFile::Scanf+0xa598a
00000000`0110d760 000007fe`e2289079 : 00000000`0000054c 000007fe`e2275140 00000000`0110d8e0 000007fe`e2020000 : NitroPDF!CxMemFile::Scanf+0x7327b
00000000`0110d7e0 000007fe`e2288a68 : 00000000`0d5b87b0 00000000`00000000 00000000`00000000 00000000`00000000 : mfc120u!CWnd::OnWndMsg+0x5dd
00000000`0110d960 000007fe`e2286422 : 00000000`00000000 00000000`01237a20 00000000`00000000 00000000`0d5b87b0 : mfc120u!CWnd::WindowProc+0x38
00000000`0110d9a0 000007fe`e2289c8a : 00000000`00000000 00000000`016d04d6 00000000`016d04d6 000007fe`e223763e : mfc120u!AfxCallWndProc+0x10e
00000000`0110da50 000007fe`e2298364 : 00000000`0d5b7ef0 00000000`00000364 00000000`00000000 000007fe`e2220107 : mfc120u!CWnd::SendMessageToDescendants+0x5e
00000000`0110daa0 000007fe`e2228d4e : 00000000`00000001 00000000`0110db70 00000000`04ce4d80 00000000`00000001 : mfc120u!CFrameWnd::InitialUpdateFrame+0x94
00000000`0110daf0 000007fe`e2228815 : 00000000`00000000 00000000`0110dc40 00000000`04ce4d80 00000000`04ce4d80 : mfc120u!CMultiDocTemplate::OpenDocumentFile+0x176
00000000`0110db40 00000001`3f49159f : 00000000`00000002 00000000`00000001 00000000`00000002 00000000`00000008 : mfc120u!CDocManager::OpenDocumentFile+0x249
00000000`0110e1f0 00000001`3f4ac227 : 00000000`00000002 00000000`00000000 00000000`00000000 00000000`00000002 : NitroPDF!CxMemFile::Scanf+0x9559f
00000000`0110e6e0 00000001`3f4a745f : 00000000`0d5a2860 00000000`04474740 00000001`3f7c7800 00000000`05981be0 : NitroPDF!CxMemFile::Scanf+0xb0227
00000000`0110ea20 000007fe`e22a00ae : 00000000`0000000a 00000000`0000000a 00000000`00000000 00000000`011e3cda : NitroPDF!CxMemFile::Scanf+0xab45f
00000000`0110f810 00000001`3f5e21a6 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`0000001f : mfc120u!AfxWinMain+0x76
00000000`0110f850 00000000`778e59cd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : NitroPDF!CxImageJPG::CxExifInfo::process_SOFn+0x71d96
00000000`0110f890 00000000`77a1b891 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`0110f8c0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d


STACK_COMMAND:  .cxr 0x0 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  npdf!TerminateApp+54caf

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: npdf

IMAGE_NAME:  npdf.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5791f671

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_npdf.dll!TerminateApp

BUCKET_ID:  X64_APPLICATION_FAULT_INVALID_POINTER_WRITE_DETOURED_npdf!TerminateApp+54caf

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_npdf.dll!terminateapp

FAILURE_ID_HASH:  {e22288fd-1433-d655-c9af-fd0a8c2f56f0}

Followup: MachineOwner
---------

Timeline

2016-09-30 - Initial Discovery
2016-10-13 - Vendor Notification
2017-02-03 - Public Disclosure

Credit

Discovered by Piotr Bania of Cisco Talos.