CVE-2016-8711
A potential remote code execution vulnerability exists in the PDF parsing functionality of Nitro Pro 10. A specially crafted PDF file can cause a vulnerability resulting in potential code execution. An attacker can send the victim a specific PDF file to trigger this vulnerability.
http://gonitro.com
9.3 - AV:N/AC:M/Au:N/C:C/I:C/A:C
An potential remote code execution vulnerability exists in the PDF parsing functionality of Nitro Pro. A specially crafted PDF file can cause a vulnerability resulting in potential code execution.
Vulnerable code is located in the npdf.dll library:
000007fe`d6f611b0 488b4318 mov rax,qword ptr [rbx+18h]
000007fe`d6f611b4 488b0cf8 mov rcx,qword ptr [rax+rdi*8]
000007fe`d6f611b8 4885c9 test rcx,rcx
000007fe`d6f611bb 740a je npdf!CxImagePNG::user_write_data+0x6f9f7 000007fe`d6f611c7)
000007fe`d6f611bd 488b01 mov rax,qword ptr [rcx] ds:baadf00d`baadf00d=????????????????
000007fe`d6f611c0 ba01000000 mov edx,1
000007fe`d6f611c5 ff10 call qword ptr [rax]
Instruction at 7fe`d6f611bd references malformed/unintialized memory region. This memory area can be later used by call instruction which calls subroutine located at the pointer provided by malformed memory.
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for J:\nitro\Nitro_KissMetrics.dll -
FAULTING_IP:
npdf!CxImagePNG::user_write_data+6f9ed
000007fe`d6f611bd 488b01 mov rax,qword ptr [rcx]
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007fed6f611bd (npdf!CxImagePNG::user_write_data+0x000000000006f9ed)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
CONTEXT: 0000000000000000 -- (.cxr 0x0;r)
rax=000000000e120650 rbx=000000000de70df0 rcx=baadf00dbaadf00d
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000001
rip=000007fed6f611bd rsp=00000000010aae90 rbp=00000000010ab060
r8=0000000000000000 r9=00000000000000fe r10=0000000050000163
r11=00000000010aab78 r12=0000000000005000 r13=0000000000000000
r14=0000000000000000 r15=000000000de70df0
iopl=0 nv up ei ng nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010282
npdf!CxImagePNG::user_write_data+0x6f9ed:
000007fe`d6f611bd 488b01 mov rax,qword ptr [rcx] ds:baadf00d`baadf00d=????????????????
FAULTING_THREAD: 0000000000011cfc
PROCESS_NAME: NitroPDF.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffffffffffffff
READ_ADDRESS: ffffffffffffffff
FOLLOWUP_IP:
npdf!CxImagePNG::user_write_data+6f9ed
000007fe`d6f611bd 488b01 mov rax,qword ptr [rcx]
DETOURED_IMAGE: 1
NTGLOBALFLAG: 470
APPLICATION_VERIFIER_FLAGS: 0
APP: nitropdf.exe
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_BEFORE_CALL
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_BEFORE_CALL
DEFAULT_BUCKET_ID: INVALID_POINTER_READ_BEFORE_CALL
LAST_CONTROL_TRANSFER: from 000007fed6f613d4 to 000007fed6f611bd
STACK_TEXT:
00000000`010aae90 000007fe`d6f613d4 : 00000000`0de70df0 00000000`00000001 ffffffff`fffffffe 00000000`00000000 : npdf!CxImagePNG::user_write_data+0x6f9ed
00000000`010aaed0 000007fe`d6f69a3a : 00000000`010ab250 00000000`00000000 00000000`00000000 00000000`00000000 : npdf!CxImagePNG::user_write_data+0x6fc04
00000000`010aaf00 000007fe`d6f685f3 : 00000000`010ab250 00000000`00000000 00000000`010ab250 00000000`05c947f0 : npdf!CxImagePNG::user_write_data+0x7826a
00000000`010ab100 000007fe`d6f61615 : 00000000`00000000 000007fe`00000c22 00000000`00000000 00000000`00000000 : npdf!CxImagePNG::user_write_data+0x76e23
00000000`010ab180 000007fe`d6f60a25 : 00000000`0df0dde0 00000000`010ab250 00000000`010ab930 00000000`00000000 : npdf!CxImagePNG::user_write_data+0x6fe45
00000000`010ab1c0 000007fe`d6f61686 : 00000000`0db90230 00000000`010ab980 00000000`00000000 00000000`010ab3d0 : npdf!CxImagePNG::user_write_data+0x6f255
00000000`010ab220 000007fe`d6d4bc7d : 00000000`00000000 00000000`045c8ff2 00000000`010ab400 000007fe`d7804018 : npdf!CxImagePNG::user_write_data+0x6feb6
00000000`010ab360 000007fe`d6d4b5f4 : 04040368`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : npdf!CxImage::~CxImage+0x8774d
00000000`010ab3f0 000007fe`d6c8630f : 00000000`010ab930 04080369`00000000 04060358`00000000 00000000`0f2a6d60 : npdf!CxImage::~CxImage+0x870c4
00000000`010ab8f0 000007fe`d6c8619a : 04080369`00000000 000007fe`d7804018 00000000`00000000 00000000`0f2a6d60 : npdf!TerminateApp+0xcfbaf
00000000`010aba10 000007fe`d6c85ef3 : 04090348`00000000 00000000`00000038 04080369`00000000 000007fe`d7804018 : npdf!TerminateApp+0xcfa3a
00000000`010abb30 000007fe`d6bdbc2b : 00000000`0ddb3040 04090348`00000000 00000000`00000002 000007fe`d7804018 : npdf!TerminateApp+0xcf793
00000000`010abb90 000007fe`d6bdb5fb : 04090348`00000000 04080369`00000000 00000000`0ddb3040 00000000`50000163 : npdf!TerminateApp+0x254cb
00000000`010abbf0 000007fe`d6c8f045 : 00000000`00000000 00000000`0dbe1d60 04090348`00000000 00000000`40000062 : npdf!TerminateApp+0x24e9b
00000000`010abc20 000007fe`d6c8cb6c : 00000000`011c0000 00000000`0de0fc50 00000000`00000000 00000000`00000030 : npdf!TerminateApp+0xd88e5
00000000`010ac0b0 000007fe`d6c8fcb4 : 00000000`0de0fc50 04090067`00000000 00000000`010ac5b0 00000000`00000000 : npdf!TerminateApp+0xd640c
00000000`010ac530 000007fe`d6cd64a1 : 00000000`0125f840 00000000`0de0fc50 00000000`00000000 00000000`77a5828f : npdf!TerminateApp+0xd9554
00000000`010ac570 000007fe`d6cf7a0e : 00000000`0ddac760 00000000`0f4b534e 00000000`00000000 000007fe`d6b00000 : npdf!CxImage::~CxImage+0x11f71
00000000`010aca00 000007fe`d6cdb70e : 00000000`0dd7d140 00000000`0dd7d140 00000000`0ddac760 00000000`0dbe7be0 : npdf!CxImage::~CxImage+0x334de
00000000`010acf10 000007fe`d6c23752 : 00000000`0ddac760 00000000`045c8040 0409004f`00000000 00000000`0db6f5a0 : npdf!CxImage::~CxImage+0x171de
00000000`010ad440 000007fe`d6c24d45 : 00000000`0db6f3b0 000007fe`fedf6a47 00000000`00000000 000007fe`fedf6941 : npdf!TerminateApp+0x6cff2
00000000`010ad9d0 00000001`3fcc9bbc : 00000000`00000000 00000000`0db6f3b0 00000000`010ae780 00000000`0db6f3b0 : npdf!TerminateApp+0x6e5e5
00000000`010ada20 00000001`3fccec72 : 00000000`0db69570 00000000`00000404 00000000`0db69ae8 00000000`010ae780 : NitroPDF!CxMemFile::Scanf+0x6dbbc
00000000`010ae110 000007fe`dffb4b26 : 00000000`010ae5f0 00000000`0e070009 00000000`0db69570 00000000`000000d0 : NitroPDF!CxMemFile::Scanf+0x72c72
00000000`010ae5c0 000007fe`dffc9079 : 00000000`0000020d 00000000`010ae780 00000000`00000000 00000000`00000001 : mfc120u!CView::OnPaint+0x5a
00000000`010ae680 000007fe`dffc8a68 : 00000000`0db69570 00000000`00000000 00000000`00000000 00000000`00000000 : mfc120u!CWnd::OnWndMsg+0x5dd
00000000`010ae800 000007fe`dffc6422 : 00000000`00000000 00000000`01217a20 00000000`00000000 00000000`0db69570 : mfc120u!CWnd::WindowProc+0x38
00000000`010ae840 000007fe`dffc67a4 : 00000000`0000000f 00000000`01d60ea6 00000000`010ae958 000007fe`dffe0538 : mfc120u!AfxCallWndProc+0x10e
00000000`010ae8f0 000007fe`dfe80a75 : 00000000`00000000 00000000`01d60ea6 00000000`0000000f 000007fe`dffc8a68 : mfc120u!AfxWndProc+0x54
00000000`010ae930 00000000`777e9bd1 : 00000000`00000000 00000001`3fbb0000 00000000`00000000 00000000`01217a20 : mfc120u!AfxWndProcBase+0x51
00000000`010ae980 00000000`777e72cb : 00000000`00000000 000007fe`dfe80a24 00000000`00000000 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x1ad
00000000`010aea40 00000000`777e6829 : 000007fe`e012c2f8 000007fe`dfe99662 00000000`01220760 00000000`01217a78 : USER32!DispatchClientMessage+0xc3
00000000`010aeaa0 00000000`77a3dae5 : 00000000`00242288 00000000`777e89fc 00010a7e`00000012 000007fe`dff75731 : USER32!_fnDWORD+0x2d
00000000`010aeb00 00000000`777e6e5a : 00000000`777e6e6c 00000000`00000000 00000000`01217a20 00000000`01217a78 : ntdll!KiUserCallbackDispatcherContinue
00000000`010aeb88 00000000`777e6e6c : 00000000`00000000 00000000`01217a20 00000000`01217a78 000007fe`dffb10e8 : USER32!NtUserDispatchMessage+0xa
00000000`010aeb90 000007fe`dffb0fb6 : 00000000`01217a78 00000000`01217a78 000007fe`dfe80a24 00000000`00000000 : USER32!DispatchMessageWorker+0x55b
00000000`010aec10 000007fe`dffb180e : 00000001`40027800 00000001`3fbb0000 00000000`00000000 00000000`00000000 : mfc120u!AfxInternalPumpMessage+0x52
00000000`010aec40 00000001`3fd0d1b1 : 00000001`40027800 00000001`3fbb0000 00000000`00000000 00000000`0327cfd0 : mfc120u!CWinThread::Run+0x6e
00000000`010aec80 000007fe`dffe00de : 00000000`0000000a 00000000`0000000a 00000000`00000000 00000000`011c3cda : NitroPDF!CxMemFile::Scanf+0xb11b1
00000000`010af780 00000001`3fe421a6 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`0000001f : mfc120u!AfxWinMain+0xa6
00000000`010af7c0 00000000`778e59cd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : NitroPDF!CxImageJPG::CxExifInfo::process_SOFn+0x71d96
00000000`010af800 00000000`77a1b891 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`010af830 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
STACK_COMMAND: .cxr 0x0 ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: npdf!CxImagePNG::user_write_data+6f9ed
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: npdf
IMAGE_NAME: npdf.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5791f671
FAILURE_BUCKET_ID: INVALID_POINTER_READ_BEFORE_CALL_c0000005_npdf.dll!CxImagePNG::user_write_data
BUCKET_ID: X64_APPLICATION_FAULT_INVALID_POINTER_READ_BEFORE_CALL_DETOURED_npdf!CxImagePNG::user_write_data+6f9ed
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_read_before_call_c0000005_npdf.dll!cximagepng::user_write_data
FAILURE_ID_HASH: {9259797b-1f8a-810e-e51b-4b58c1281c24}
Followup: MachineOwner
---------
2016-10-13 - Initial Discovery
2016-10-24 - Vendor Notification
2017-02-03 - Public Disclosure
Discovered by Piotr Bania of Cisco Talos.