CVE-2019-5047
An exploitable Use After Free vulnerability exists in the CharProcs parsing functionality of NitroPDF. A specially crafted PDF can cause a type confusion, resulting in a Use After Free. An attacker can craft a malicious PDF to trigger this vulnerability.
NitroPDF 12.2.1.522
7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free
NitroPDF is a popular PDF tool used to create and edit PDF files. NitroPDF has a wide array of features for automated PDF creation as well as reviewing differences between various PDFs.
The module tested for this advisory is below:
00007ffb`eb750000 00007ffb`ec559000 npdf (export symbols) npdf.dll
Loaded symbol image file: npdf.dll
Image path: C:\Program Files\Nitro\Pro\12\npdf.dll
Image name: npdf.dll
Browse all global symbols functions data
Timestamp: Tue Mar 26 15:48:15 2019 (5C9A900F)
CheckSum: 00D05033
ImageSize: 00E09000
File version: 12.12.1.522
Product version: 12.12.1.522
PDF Font Objects have a variety of attributes. One of which is the CharProcs. This attribute points to a dictionary of content streams that tells the renderer how to render the glyph for the given character. In particular, the content stream must have a d0 or d1 operator as it’s first operator, followed by a series of other graphics objects. An example of how these CharProcs are used is below:
11 0 obj
<< /Length 39 >>
stream
1000 0 0 0 750 750 d1
0 0 750 750 re
f
endstream
endobj
12 0 obj
<<
/Type /Font
/Subtype /Type3
/FontBBox [0 0 750 750]
/FontMatrix [0.001 0 0 0.061 0 0]
/CharProcs 16 0 R
/Encoding 17 0 R
/FirstChar 97
/LastChar 98
/Widths [0 0]
>>
endobj
16 0 obj
<<
/square 11 0 R
>>
endobj
Above we see a CharProcs object point to the object referenced at 16 0. This object contains a square pointing to the object referenced at 11 0. This object contains the content stream for the square glyph.
There are a variety of other objects valid for a PDF with their own set of valid content streams. One example is the Text object. The Text object can contain a content stream with information on how to position text in the document. An example of a Text object is shown below:
22 0 obj
<<
/Length 39>>
stream
BT
/F1 12 Tf
50 685 Tr
(a) Tj
ET
endstream
endobj
The parser is expecting the CharProcs content stream to contain valid instructions on how to paint the glyph. If an attacker replaces the CharProcs content stream for a particular Text object content stream, a buffer is allocated for a TypeFont.
npdf+0x19bb26
local_RAX_38 = operator_new(0x2e0);
if (local_RAX_38 == 0x0) {
type_font = 0x0;
}
else {
type_font = zero_obj(local_RAX_38);
}
local_18 = type_font;
init_obj(type_font, &pdf_page_viewer->field_0xc0);
When creating another TypeFont for the larger PageViewer object, this buffer is freed.
npdf+0x19c272
frees_buffer(page_viewer);
pTVar4 = operator_new(0x2e0);
if (pTVar4 == 0x0) {
pTVar4 = 0x0;
}
else {
pTVar4 = zero_obj(pTVar4);
}
local_40 = pTVar4;
init_obj(pTVar4, page_viewer->field_0xc0);
A handle to the original freed buffer still exists in the overarching PageViewer object. This original buffer is later passed as a parameter in a functioned called by the parent function. This buffer being reused to read data that should be from the original TypeFont causes a use after free, potentially resulting in code execution.
(455c.aa8): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
npdf!PDTextIsSpaceBetween+0x26a8f:
00007ffb`eb934f2f 0f104208 movups xmm0,xmmword ptr [rdx+8] ds:000001a5`748c0d28=????????????????
!analyze -v
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_READ_AVRF_
2019-05-07 - Vendor disclosure
2019-07-02 - 60 day follow up
2019-07-29 - 2nd follow up (90 days approaching notice)
2019-08-06 - 3rd follow up
2019-08-07 - Vendor acknowledged & advised prior emails went to spam folder; Talos issued copy of report
2019-09-03 - Talos granted disclosure extension to 2019-09-10
2019-09-05 - Vendor advised issues will be addressed in a future release (timeline unknown)
2019-10-09 - Public Disclosure
Discovered by Cory Duplantis and Aleksander Nikolic of Cisco Talos.