CVE-2016-8709
A remote out of bound write / memory corruption vulnerability exists in the PDF parsing functionality of Nitro Pro 10. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific PDF file to trigger this vulnerability.
http://gonitro.com
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
An remote memory corruption vulnerability exists in the PDF parsing functionality of Nitro Pro. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption.
Vulnerable code is located in the npdf.dll library:
.text:000000000011B3F8 mov eax, edx
.text:000000000011B3FA lea rcx, [rax+rax*2]
.text:000000000011B3FE lea r8, ds:0[rcx*8]
.text:000000000011B406 mov r9, [rsp+5B8h+var_570]
.text:000000000011B40B mov rax, [r9+60h]
.text:000000000011B40F mov [r8+rax], rsi ; memory corruption
.text:000000000011B413 mov rax, [r9+60h]
.text:000000000011B417 mov [r8+rax+8], edx
.text:000000000011B41C inc edx
.text:000000000011B41E cmp edx, ebx
.text:000000000011B420 jnb short loc_11B453
.text:000000000011B422 lea rcx, [rdx+rdx*2]
.text:000000000011B426 shl rcx, 3
.text:000000000011B42A mov eax, ebx
.text:000000000011B42C sub eax, edx
.text:000000000011B42E mov edx, eax
The r8 value at 0x000000000011B40F can be partially controlled by the data in the malformed PDF file.
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for J:\nitro\plug_ins\NPRedaction.npp
*** ERROR: Symbol file could not be found. Defaulted to export symbols for J:\nitro\plug_ins\NPRedaction.npp -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for NitroPDF.exe -
FAULTING_IP:
npdf!TerminateApp+54caf
000007fe`d61fb40f 49893400 mov qword ptr [r8+rax],rsi
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007fed61fb40f (npdf!TerminateApp+0x0000000000054caf)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 000000180f1212a8
Attempt to write to address 000000180f1212a8
CONTEXT: 0000000000000000 -- (.cxr 0x0;r)
rax=000000000f121320 rbx=0000000000000000 rcx=00000002fffffff1
rdx=00000000fffffffb rsi=0409002400000000 rdi=0407002300000000
rip=000007fed61fb40f rsp=000000000110bad0 rbp=000007fed6a19b28
r8=00000017ffffff88 r9=000007fed6e179f0 r10=0000000000000005
r11=000000000110bbf0 r12=000000000000003b r13=000007fed6e179f0
r14=0000000000000005 r15=0000000005520b9a
iopl=0 nv up ei ng nz ac po cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297
npdf!TerminateApp+0x54caf:
000007fe`d61fb40f 49893400 mov qword ptr [r8+rax],rsi ds:00000018`0f1212a8=????????????????
FAULTING_THREAD: 000000000000e4d4
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
PROCESS_NAME: NitroPDF.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 000000180f1212a8
WRITE_ADDRESS: 000000180f1212a8
FOLLOWUP_IP:
npdf!TerminateApp+54caf
000007fe`d61fb40f 49893400 mov qword ptr [r8+rax],rsi
DETOURED_IMAGE: 1
NTGLOBALFLAG: 470
APPLICATION_VERIFIER_FLAGS: 0
APP: nitropdf.exe
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE
LAST_CONTROL_TRANSFER: from 000007fed62026b7 to 000007fed61fb40f
STACK_TEXT:
00000000`0110bad0 000007fe`d62026b7 : 00000000`00000000 00000000`0d5c5d80 00000000`0d5c5d80 000007fe`d6215cca : npdf!TerminateApp+0x54caf
00000000`0110c090 000007fe`d3883f08 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : npdf!TerminateApp+0x5bf57
00000000`0110c0e0 000007fe`d3893454 : 04090004`00000000 00000000`0d5b79d0 00000001`3f350000 000007fe`d6e179f0 : NPRedaction+0x3f08
00000000`0110c580 00000001`3f48daf4 : 00000000`0110d780 00000000`0110d780 00000001`3f350000 00000000`00000000 : NPRedaction+0x13454
00000000`0110ca10 00000001`3f4a198a : 00000000`00000000 00000000`0110d3d0 00000000`016d04d6 00000000`0d5d2220 : NitroPDF!CxMemFile::Scanf+0x91af4
00000000`0110d2e0 00000001`3f46f27b : 00000000`00000000 000007fe`000003ed 00000000`0d5b79d0 00000000`0000001e : NitroPDF!CxMemFile::Scanf+0xa598a
00000000`0110d760 000007fe`e2289079 : 00000000`0000054c 000007fe`e2275140 00000000`0110d8e0 000007fe`e2020000 : NitroPDF!CxMemFile::Scanf+0x7327b
00000000`0110d7e0 000007fe`e2288a68 : 00000000`0d5b87b0 00000000`00000000 00000000`00000000 00000000`00000000 : mfc120u!CWnd::OnWndMsg+0x5dd
00000000`0110d960 000007fe`e2286422 : 00000000`00000000 00000000`01237a20 00000000`00000000 00000000`0d5b87b0 : mfc120u!CWnd::WindowProc+0x38
00000000`0110d9a0 000007fe`e2289c8a : 00000000`00000000 00000000`016d04d6 00000000`016d04d6 000007fe`e223763e : mfc120u!AfxCallWndProc+0x10e
00000000`0110da50 000007fe`e2298364 : 00000000`0d5b7ef0 00000000`00000364 00000000`00000000 000007fe`e2220107 : mfc120u!CWnd::SendMessageToDescendants+0x5e
00000000`0110daa0 000007fe`e2228d4e : 00000000`00000001 00000000`0110db70 00000000`04ce4d80 00000000`00000001 : mfc120u!CFrameWnd::InitialUpdateFrame+0x94
00000000`0110daf0 000007fe`e2228815 : 00000000`00000000 00000000`0110dc40 00000000`04ce4d80 00000000`04ce4d80 : mfc120u!CMultiDocTemplate::OpenDocumentFile+0x176
00000000`0110db40 00000001`3f49159f : 00000000`00000002 00000000`00000001 00000000`00000002 00000000`00000008 : mfc120u!CDocManager::OpenDocumentFile+0x249
00000000`0110e1f0 00000001`3f4ac227 : 00000000`00000002 00000000`00000000 00000000`00000000 00000000`00000002 : NitroPDF!CxMemFile::Scanf+0x9559f
00000000`0110e6e0 00000001`3f4a745f : 00000000`0d5a2860 00000000`04474740 00000001`3f7c7800 00000000`05981be0 : NitroPDF!CxMemFile::Scanf+0xb0227
00000000`0110ea20 000007fe`e22a00ae : 00000000`0000000a 00000000`0000000a 00000000`00000000 00000000`011e3cda : NitroPDF!CxMemFile::Scanf+0xab45f
00000000`0110f810 00000001`3f5e21a6 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`0000001f : mfc120u!AfxWinMain+0x76
00000000`0110f850 00000000`778e59cd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : NitroPDF!CxImageJPG::CxExifInfo::process_SOFn+0x71d96
00000000`0110f890 00000000`77a1b891 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`0110f8c0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
STACK_COMMAND: .cxr 0x0 ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: npdf!TerminateApp+54caf
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: npdf
IMAGE_NAME: npdf.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5791f671
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_npdf.dll!TerminateApp
BUCKET_ID: X64_APPLICATION_FAULT_INVALID_POINTER_WRITE_DETOURED_npdf!TerminateApp+54caf
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_npdf.dll!terminateapp
FAILURE_ID_HASH: {e22288fd-1433-d655-c9af-fd0a8c2f56f0}
Followup: MachineOwner
---------
2016-09-30 - Initial Discovery
2016-10-13 - Vendor Notification
2017-02-03 - Public Disclosure
Discovered by Piotr Bania of Cisco Talos.