Talos Vulnerability Report

TALOS-2019-0816

NitroPDF CharProcs Remote Code Execution Vulnerability

October 9, 2019
CVE Number

CVE-2019-5047

Summary

An exploitable Use After Free vulnerability exists in the CharProcs parsing functionality of NitroPDF. A specially crafted PDF can cause a type confusion, resulting in a Use After Free. An attacker can craft a malicious PDF to trigger this vulnerability.

Tested Versions

NitroPDF 12.2.1.522

Product URLs

https://www.gonitro.com/

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416: Use After Free

Details

NitroPDF is a popular PDF tool used to create and edit PDF files. NitroPDF has a wide array of features for automated PDF creation as well as reviewing differences between various PDFs.

The module tested for this advisory is below:

00007ffb`eb750000 00007ffb`ec559000   npdf       (export symbols)       npdf.dll
    Loaded symbol image file: npdf.dll
    Image path: C:\Program Files\Nitro\Pro\12\npdf.dll
    Image name: npdf.dll
    Browse all global symbols  functions  data
    Timestamp:        Tue Mar 26 15:48:15 2019 (5C9A900F)
    CheckSum:         00D05033
    ImageSize:        00E09000
    File version:     12.12.1.522
    Product version:  12.12.1.522

PDF Font Objects have a variety of attributes. One of which is the CharProcs. This attribute points to a dictionary of content streams that tells the renderer how to render the glyph for the given character. In particular, the content stream must have a d0 or d1 operator as it's first operator, followed by a series of other graphics objects. An example of how these CharProcs are used is below:

11 0 obj
<< /Length 39 >>
stream
1000 0 0 0 750 750 d1
0 0 750 750 re
f
endstream
endobj

12 0 obj
<<
/Type /Font
/Subtype /Type3
/FontBBox [0 0 750 750]
/FontMatrix [0.001 0 0 0.061 0 0]
/CharProcs 16 0 R
/Encoding 17 0 R
/FirstChar 97
/LastChar 98
/Widths [0 0]
>>
endobj


16 0 obj
<<
    /square 11 0 R
>>
endobj

Above we see a CharProcs object point to the object referenced at 16 0. This object contains a square pointing to the object referenced at 11 0. This object contains the content stream for the square glyph.

There are a variety of other objects valid for a PDF with their own set of valid content streams. One example is the Text object. The Text object can contain a content stream with information on how to position text in the document. An example of a Text object is shown below:

22 0 obj
<<
/Length 39>>
stream
BT
/F1 12 Tf
50 685 Tr
(a) Tj
ET
endstream
endobj

The parser is expecting the CharProcs content stream to contain valid instructions on how to paint the glyph. If an attacker replaces the CharProcs content stream for a particular Text object content stream, a buffer is allocated for a TypeFont.

npdf+0x19bb26
local_RAX_38 = operator_new(0x2e0);
if (local_RAX_38 == 0x0) {
    type_font = 0x0;
}
else {
    type_font = zero_obj(local_RAX_38);
}
local_18 = type_font;
init_obj(type_font, &pdf_page_viewer->field_0xc0);

When creating another TypeFont for the larger PageViewer object, this buffer is freed.

npdf+0x19c272
frees_buffer(page_viewer);
pTVar4 = operator_new(0x2e0);
if (pTVar4 == 0x0) {
    pTVar4 = 0x0;
}
else {
    pTVar4 = zero_obj(pTVar4);
}
local_40 = pTVar4;
init_obj(pTVar4, page_viewer->field_0xc0);

A handle to the original freed buffer still exists in the overarching PageViewer object. This original buffer is later passed as a parameter in a functioned called by the parent function. This buffer being reused to read data that should be from the original TypeFont causes a use after free, potentially resulting in code execution.

Crash Information

(455c.aa8): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
npdf!PDTextIsSpaceBetween+0x26a8f:
00007ffb`eb934f2f 0f104208        movups  xmm0,xmmword ptr [rdx+8] ds:000001a5`748c0d28=????????????????

!analyze -v
BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_AVRF_

Timeline

2019-05-07 - Vendor disclosure
2019-07-02 - 60 day follow up
2019-07-29 - 2nd follow up (90 days approaching notice)
2019-08-06 - 3rd follow up
2019-08-07 - Vendor acknowledged & advised prior emails went to spam folder; Talos issued copy of report
2019-09-03 - Talos granted disclosure extension to 2019-09-10
2019-09-05 - Vendor advised issues will be addressed in a future release (timeline unknown)
2019-10-09 - Public Disclosure

Credit

Discovered by Cory Duplantis and Aleksander Nikolic of Cisco Talos.