Talos Vulnerability Report

TALOS-2016-0224

Nitro Pro 10 PDF Handling Code Execution Vulnerability

February 3, 2017
CVE Number

CVE-2016-8711

Summary

A potential remote code execution vulnerability exists in the PDF parsing functionality of Nitro Pro 10. A specially crafted PDF file can cause a vulnerability resulting in potential code execution. An attacker can send the victim a specific PDF file to trigger this vulnerability.

Tested Versions

  • Nitro Pro 10.5.9.9 (Nitro PDF Library - 10, 5, 9, 9) - x64 version

Product URLs

http://gonitro.com

CVSSv3 Score

9.3 - AV:N/AC:M/Au:N/C:C/I:C/A:C

Details

An potential remote code execution vulnerability exists in the PDF parsing functionality of Nitro Pro. A specially crafted PDF file can cause a vulnerability resulting in potential code execution.

Vulnerable code is located in the npdf.dll library:

000007fe`d6f611b0 488b4318        mov     rax,qword ptr [rbx+18h]
000007fe`d6f611b4 488b0cf8        mov     rcx,qword ptr [rax+rdi*8]
000007fe`d6f611b8 4885c9          test    rcx,rcx
000007fe`d6f611bb 740a            je      npdf!CxImagePNG::user_write_data+0x6f9f7                000007fe`d6f611c7)
000007fe`d6f611bd 488b01          mov     rax,qword ptr [rcx] ds:baadf00d`baadf00d=????????????????
000007fe`d6f611c0 ba01000000      mov     edx,1
000007fe`d6f611c5 ff10            call    qword ptr [rax]

Instruction at 7fe`d6f611bd references malformed/unintialized memory region. This memory area can be later used by call instruction which calls subroutine located at the pointer provided by malformed memory.

Crash Information

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for J:\nitro\Nitro_KissMetrics.dll -

FAULTING_IP:
npdf!CxImagePNG::user_write_data+6f9ed
000007fe`d6f611bd 488b01          mov     rax,qword ptr [rcx]

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007fed6f611bd (npdf!CxImagePNG::user_write_data+0x000000000006f9ed)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
rax=000000000e120650 rbx=000000000de70df0 rcx=baadf00dbaadf00d
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000001
rip=000007fed6f611bd rsp=00000000010aae90 rbp=00000000010ab060
 r8=0000000000000000  r9=00000000000000fe r10=0000000050000163
r11=00000000010aab78 r12=0000000000005000 r13=0000000000000000
r14=0000000000000000 r15=000000000de70df0
iopl=0         nv up ei ng nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
npdf!CxImagePNG::user_write_data+0x6f9ed:
000007fe`d6f611bd 488b01          mov     rax,qword ptr [rcx] ds:baadf00d`baadf00d=????????????????

FAULTING_THREAD:  0000000000011cfc

PROCESS_NAME:  NitroPDF.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  ffffffffffffffff

READ_ADDRESS:  ffffffffffffffff

FOLLOWUP_IP:
npdf!CxImagePNG::user_write_data+6f9ed
000007fe`d6f611bd 488b01          mov     rax,qword ptr [rcx]

DETOURED_IMAGE: 1

NTGLOBALFLAG:  470

APPLICATION_VERIFIER_FLAGS:  0

APP:  nitropdf.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_BEFORE_CALL

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ_BEFORE_CALL

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ_BEFORE_CALL

LAST_CONTROL_TRANSFER:  from 000007fed6f613d4 to 000007fed6f611bd

STACK_TEXT:
00000000`010aae90 000007fe`d6f613d4 : 00000000`0de70df0 00000000`00000001 ffffffff`fffffffe 00000000`00000000 : npdf!CxImagePNG::user_write_data+0x6f9ed
00000000`010aaed0 000007fe`d6f69a3a : 00000000`010ab250 00000000`00000000 00000000`00000000 00000000`00000000 : npdf!CxImagePNG::user_write_data+0x6fc04
00000000`010aaf00 000007fe`d6f685f3 : 00000000`010ab250 00000000`00000000 00000000`010ab250 00000000`05c947f0 : npdf!CxImagePNG::user_write_data+0x7826a
00000000`010ab100 000007fe`d6f61615 : 00000000`00000000 000007fe`00000c22 00000000`00000000 00000000`00000000 : npdf!CxImagePNG::user_write_data+0x76e23
00000000`010ab180 000007fe`d6f60a25 : 00000000`0df0dde0 00000000`010ab250 00000000`010ab930 00000000`00000000 : npdf!CxImagePNG::user_write_data+0x6fe45
00000000`010ab1c0 000007fe`d6f61686 : 00000000`0db90230 00000000`010ab980 00000000`00000000 00000000`010ab3d0 : npdf!CxImagePNG::user_write_data+0x6f255
00000000`010ab220 000007fe`d6d4bc7d : 00000000`00000000 00000000`045c8ff2 00000000`010ab400 000007fe`d7804018 : npdf!CxImagePNG::user_write_data+0x6feb6
00000000`010ab360 000007fe`d6d4b5f4 : 04040368`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : npdf!CxImage::~CxImage+0x8774d
00000000`010ab3f0 000007fe`d6c8630f : 00000000`010ab930 04080369`00000000 04060358`00000000 00000000`0f2a6d60 : npdf!CxImage::~CxImage+0x870c4
00000000`010ab8f0 000007fe`d6c8619a : 04080369`00000000 000007fe`d7804018 00000000`00000000 00000000`0f2a6d60 : npdf!TerminateApp+0xcfbaf
00000000`010aba10 000007fe`d6c85ef3 : 04090348`00000000 00000000`00000038 04080369`00000000 000007fe`d7804018 : npdf!TerminateApp+0xcfa3a
00000000`010abb30 000007fe`d6bdbc2b : 00000000`0ddb3040 04090348`00000000 00000000`00000002 000007fe`d7804018 : npdf!TerminateApp+0xcf793
00000000`010abb90 000007fe`d6bdb5fb : 04090348`00000000 04080369`00000000 00000000`0ddb3040 00000000`50000163 : npdf!TerminateApp+0x254cb
00000000`010abbf0 000007fe`d6c8f045 : 00000000`00000000 00000000`0dbe1d60 04090348`00000000 00000000`40000062 : npdf!TerminateApp+0x24e9b
00000000`010abc20 000007fe`d6c8cb6c : 00000000`011c0000 00000000`0de0fc50 00000000`00000000 00000000`00000030 : npdf!TerminateApp+0xd88e5
00000000`010ac0b0 000007fe`d6c8fcb4 : 00000000`0de0fc50 04090067`00000000 00000000`010ac5b0 00000000`00000000 : npdf!TerminateApp+0xd640c
00000000`010ac530 000007fe`d6cd64a1 : 00000000`0125f840 00000000`0de0fc50 00000000`00000000 00000000`77a5828f : npdf!TerminateApp+0xd9554
00000000`010ac570 000007fe`d6cf7a0e : 00000000`0ddac760 00000000`0f4b534e 00000000`00000000 000007fe`d6b00000 : npdf!CxImage::~CxImage+0x11f71
00000000`010aca00 000007fe`d6cdb70e : 00000000`0dd7d140 00000000`0dd7d140 00000000`0ddac760 00000000`0dbe7be0 : npdf!CxImage::~CxImage+0x334de
00000000`010acf10 000007fe`d6c23752 : 00000000`0ddac760 00000000`045c8040 0409004f`00000000 00000000`0db6f5a0 : npdf!CxImage::~CxImage+0x171de
00000000`010ad440 000007fe`d6c24d45 : 00000000`0db6f3b0 000007fe`fedf6a47 00000000`00000000 000007fe`fedf6941 : npdf!TerminateApp+0x6cff2
00000000`010ad9d0 00000001`3fcc9bbc : 00000000`00000000 00000000`0db6f3b0 00000000`010ae780 00000000`0db6f3b0 : npdf!TerminateApp+0x6e5e5
00000000`010ada20 00000001`3fccec72 : 00000000`0db69570 00000000`00000404 00000000`0db69ae8 00000000`010ae780 : NitroPDF!CxMemFile::Scanf+0x6dbbc
00000000`010ae110 000007fe`dffb4b26 : 00000000`010ae5f0 00000000`0e070009 00000000`0db69570 00000000`000000d0 : NitroPDF!CxMemFile::Scanf+0x72c72
00000000`010ae5c0 000007fe`dffc9079 : 00000000`0000020d 00000000`010ae780 00000000`00000000 00000000`00000001 : mfc120u!CView::OnPaint+0x5a
00000000`010ae680 000007fe`dffc8a68 : 00000000`0db69570 00000000`00000000 00000000`00000000 00000000`00000000 : mfc120u!CWnd::OnWndMsg+0x5dd
00000000`010ae800 000007fe`dffc6422 : 00000000`00000000 00000000`01217a20 00000000`00000000 00000000`0db69570 : mfc120u!CWnd::WindowProc+0x38
00000000`010ae840 000007fe`dffc67a4 : 00000000`0000000f 00000000`01d60ea6 00000000`010ae958 000007fe`dffe0538 : mfc120u!AfxCallWndProc+0x10e
00000000`010ae8f0 000007fe`dfe80a75 : 00000000`00000000 00000000`01d60ea6 00000000`0000000f 000007fe`dffc8a68 : mfc120u!AfxWndProc+0x54
00000000`010ae930 00000000`777e9bd1 : 00000000`00000000 00000001`3fbb0000 00000000`00000000 00000000`01217a20 : mfc120u!AfxWndProcBase+0x51
00000000`010ae980 00000000`777e72cb : 00000000`00000000 000007fe`dfe80a24 00000000`00000000 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x1ad
00000000`010aea40 00000000`777e6829 : 000007fe`e012c2f8 000007fe`dfe99662 00000000`01220760 00000000`01217a78 : USER32!DispatchClientMessage+0xc3
00000000`010aeaa0 00000000`77a3dae5 : 00000000`00242288 00000000`777e89fc 00010a7e`00000012 000007fe`dff75731 : USER32!_fnDWORD+0x2d
00000000`010aeb00 00000000`777e6e5a : 00000000`777e6e6c 00000000`00000000 00000000`01217a20 00000000`01217a78 : ntdll!KiUserCallbackDispatcherContinue
00000000`010aeb88 00000000`777e6e6c : 00000000`00000000 00000000`01217a20 00000000`01217a78 000007fe`dffb10e8 : USER32!NtUserDispatchMessage+0xa
00000000`010aeb90 000007fe`dffb0fb6 : 00000000`01217a78 00000000`01217a78 000007fe`dfe80a24 00000000`00000000 : USER32!DispatchMessageWorker+0x55b
00000000`010aec10 000007fe`dffb180e : 00000001`40027800 00000001`3fbb0000 00000000`00000000 00000000`00000000 : mfc120u!AfxInternalPumpMessage+0x52
00000000`010aec40 00000001`3fd0d1b1 : 00000001`40027800 00000001`3fbb0000 00000000`00000000 00000000`0327cfd0 : mfc120u!CWinThread::Run+0x6e
00000000`010aec80 000007fe`dffe00de : 00000000`0000000a 00000000`0000000a 00000000`00000000 00000000`011c3cda : NitroPDF!CxMemFile::Scanf+0xb11b1
00000000`010af780 00000001`3fe421a6 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`0000001f : mfc120u!AfxWinMain+0xa6
00000000`010af7c0 00000000`778e59cd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : NitroPDF!CxImageJPG::CxExifInfo::process_SOFn+0x71d96
00000000`010af800 00000000`77a1b891 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`010af830 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d


STACK_COMMAND:  .cxr 0x0 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  npdf!CxImagePNG::user_write_data+6f9ed

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: npdf

IMAGE_NAME:  npdf.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5791f671

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_BEFORE_CALL_c0000005_npdf.dll!CxImagePNG::user_write_data

BUCKET_ID:  X64_APPLICATION_FAULT_INVALID_POINTER_READ_BEFORE_CALL_DETOURED_npdf!CxImagePNG::user_write_data+6f9ed

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_before_call_c0000005_npdf.dll!cximagepng::user_write_data

FAILURE_ID_HASH:  {9259797b-1f8a-810e-e51b-4b58c1281c24}

Followup: MachineOwner
---------

Timeline

2016-10-13 - Initial Discovery
2016-10-24 - Vendor Notification
2017-02-03 - Public Disclosure

Credit

Discovered by Piotr Bania of Cisco Talos.