Nitro Pro 10 PDF Handling Code Execution Vulnerability(CVE-2016-8711)

2017-09-26T00:00:00
ID SSV:96579
Type seebug
Reporter Root
Modified 2017-09-26T00:00:00

Description

Summary

A potential remote code execution vulnerability exists in the PDF parsing functionality of Nitro Pro 10. A specially crafted PDF file can cause a vulnerability resulting in potential code execution. An attacker can send the victim a specific PDF file to trigger this vulnerability.

Tested Versions

Nitro Pro 10.5.9.9 (Nitro PDF Library - 10, 5, 9, 9) - x64 version

Product URLs

http://gonitro.com

CVSSv3 Score

9.3 - AV:N/AC:M/Au:N/C:C/I:C/A:C

Details

An potential remote code execution vulnerability exists in the PDF parsing functionality of Nitro Pro. A specially crafted PDF file can cause a vulnerability resulting in potential code execution. Vulnerable code is located in the npdf.dll library: 000007fe`d6f611b0 488b4318 mov rax,qword ptr [rbx+18h] 000007fe`d6f611b4 488b0cf8 mov rcx,qword ptr [rax+rdi*8] 000007fe`d6f611b8 4885c9 test rcx,rcx 000007fe`d6f611bb 740a je npdf!CxImagePNG::user_write_data+0x6f9f7 000007fe`d6f611c7) 000007fe`d6f611bd 488b01 mov rax,qword ptr [rcx] ds:baadf00d`baadf00d=???????????????? 000007fe`d6f611c0 ba01000000 mov edx,1 000007fe`d6f611c5 ff10 call qword ptr [rax] Instruction at 7fed6f611bd references malformed/unintialized memory region. This memory area can be later used by call instruction which calls subroutine located at the pointer provided by malformed memory.

Crash Information

``` 0:000> !analyze -v


  • *
  • Exception Analysis *
  • *

*** ERROR: Symbol file could not be found. Defaulted to export symbols for J:\nitro\Nitro_KissMetrics.dll -

FAULTING_IP: npdf!CxImagePNG::user_write_data+6f9ed 000007fe`d6f611bd 488b01 mov rax,qword ptr [rcx]

EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 000007fed6f611bd (npdf!CxImagePNG::user_write_data+0x000000000006f9ed) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: ffffffffffffffff Attempt to read from address ffffffffffffffff

CONTEXT: 0000000000000000 -- (.cxr 0x0;r) rax=000000000e120650 rbx=000000000de70df0 rcx=baadf00dbaadf00d rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000001 rip=000007fed6f611bd rsp=00000000010aae90 rbp=00000000010ab060 r8=0000000000000000 r9=00000000000000fe r10=0000000050000163 r11=00000000010aab78 r12=0000000000005000 r13=0000000000000000 r14=0000000000000000 r15=000000000de70df0 iopl=0 nv up ei ng nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010282 npdf!CxImagePNG::user_write_data+0x6f9ed: 000007fed6f611bd 488b01 mov rax,qword ptr [rcx] ds:baadf00dbaadf00d=????????????????

FAULTING_THREAD: 0000000000011cfc

PROCESS_NAME: NitroPDF.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: ffffffffffffffff

READ_ADDRESS: ffffffffffffffff

FOLLOWUP_IP: npdf!CxImagePNG::user_write_data+6f9ed 000007fe`d6f611bd 488b01 mov rax,qword ptr [rcx]

DETOURED_IMAGE: 1

NTGLOBALFLAG: 470

APPLICATION_VERIFIER_FLAGS: 0

APP: nitropdf.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_BEFORE_CALL

PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_BEFORE_CALL

DEFAULT_BUCKET_ID: INVALID_POINTER_READ_BEFORE_CALL

LAST_CONTROL_TRANSFER: from 000007fed6f613d4 to 000007fed6f611bd

STACK_TEXT: 00000000010aae90 000007fed6f613d4 : 000000000de70df0 0000000000000001 fffffffffffffffe 0000000000000000 : npdf!CxImagePNG::user_write_data+0x6f9ed 00000000010aaed0 000007fed6f69a3a : 00000000010ab250 0000000000000000 0000000000000000 0000000000000000 : npdf!CxImagePNG::user_write_data+0x6fc04 00000000010aaf00 000007fed6f685f3 : 00000000010ab250 0000000000000000 00000000010ab250 0000000005c947f0 : npdf!CxImagePNG::user_write_data+0x7826a 00000000010ab100 000007fed6f61615 : 0000000000000000 000007fe00000c22 0000000000000000 0000000000000000 : npdf!CxImagePNG::user_write_data+0x76e23 00000000010ab180 000007fed6f60a25 : 000000000df0dde0 00000000010ab250 00000000010ab930 0000000000000000 : npdf!CxImagePNG::user_write_data+0x6fe45 00000000010ab1c0 000007fed6f61686 : 000000000db90230 00000000010ab980 0000000000000000 00000000010ab3d0 : npdf!CxImagePNG::user_write_data+0x6f255 00000000010ab220 000007fed6d4bc7d : 0000000000000000 00000000045c8ff2 00000000010ab400 000007fed7804018 : npdf!CxImagePNG::user_write_data+0x6feb6 00000000010ab360 000007fed6d4b5f4 : 0404036800000000 0000000000000000 0000000000000000 0000000000000000 : npdf!CxImage::~CxImage+0x8774d 00000000010ab3f0 000007fed6c8630f : 00000000010ab930 0408036900000000 0406035800000000 000000000f2a6d60 : npdf!CxImage::~CxImage+0x870c4 00000000010ab8f0 000007fed6c8619a : 0408036900000000 000007fed7804018 0000000000000000 000000000f2a6d60 : npdf!TerminateApp+0xcfbaf 00000000010aba10 000007fed6c85ef3 : 0409034800000000 0000000000000038 0408036900000000 000007fed7804018 : npdf!TerminateApp+0xcfa3a 00000000010abb30 000007fed6bdbc2b : 000000000ddb3040 0409034800000000 0000000000000002 000007fed7804018 : npdf!TerminateApp+0xcf793 00000000010abb90 000007fed6bdb5fb : 0409034800000000 0408036900000000 000000000ddb3040 0000000050000163 : npdf!TerminateApp+0x254cb 00000000010abbf0 000007fed6c8f045 : 0000000000000000 000000000dbe1d60 0409034800000000 0000000040000062 : npdf!TerminateApp+0x24e9b 00000000010abc20 000007fed6c8cb6c : 00000000011c0000 000000000de0fc50 0000000000000000 0000000000000030 : npdf!TerminateApp+0xd88e5 00000000010ac0b0 000007fed6c8fcb4 : 000000000de0fc50 0409006700000000 00000000010ac5b0 0000000000000000 : npdf!TerminateApp+0xd640c 00000000010ac530 000007fed6cd64a1 : 000000000125f840 000000000de0fc50 0000000000000000 0000000077a5828f : npdf!TerminateApp+0xd9554 00000000010ac570 000007fed6cf7a0e : 000000000ddac760 000000000f4b534e 0000000000000000 000007fed6b00000 : npdf!CxImage::~CxImage+0x11f71 00000000010aca00 000007fed6cdb70e : 000000000dd7d140 000000000dd7d140 000000000ddac760 000000000dbe7be0 : npdf!CxImage::~CxImage+0x334de 00000000010acf10 000007fed6c23752 : 000000000ddac760 00000000045c8040 0409004f00000000 000000000db6f5a0 : npdf!CxImage::~CxImage+0x171de 00000000010ad440 000007fed6c24d45 : 000000000db6f3b0 000007fefedf6a47 0000000000000000 000007fefedf6941 : npdf!TerminateApp+0x6cff2 00000000010ad9d0 000000013fcc9bbc : 0000000000000000 000000000db6f3b0 00000000010ae780 000000000db6f3b0 : npdf!TerminateApp+0x6e5e5 00000000010ada20 000000013fccec72 : 000000000db69570 0000000000000404 000000000db69ae8 00000000010ae780 : NitroPDF!CxMemFile::Scanf+0x6dbbc 00000000010ae110 000007fedffb4b26 : 00000000010ae5f0 000000000e070009 000000000db69570 00000000000000d0 : NitroPDF!CxMemFile::Scanf+0x72c72 00000000010ae5c0 000007fedffc9079 : 000000000000020d 00000000010ae780 0000000000000000 0000000000000001 : mfc120u!CView::OnPaint+0x5a 00000000010ae680 000007fedffc8a68 : 000000000db69570 0000000000000000 0000000000000000 0000000000000000 : mfc120u!CWnd::OnWndMsg+0x5dd 00000000010ae800 000007fedffc6422 : 0000000000000000 0000000001217a20 0000000000000000 000000000db69570 : mfc120u!CWnd::WindowProc+0x38 00000000010ae840 000007fedffc67a4 : 000000000000000f 0000000001d60ea6 00000000010ae958 000007fedffe0538 : mfc120u!AfxCallWndProc+0x10e 00000000010ae8f0 000007fedfe80a75 : 0000000000000000 0000000001d60ea6 000000000000000f 000007fedffc8a68 : mfc120u!AfxWndProc+0x54 00000000010ae930 00000000777e9bd1 : 0000000000000000 000000013fbb0000 0000000000000000 0000000001217a20 : mfc120u!AfxWndProcBase+0x51 00000000010ae980 00000000777e72cb : 0000000000000000 000007fedfe80a24 0000000000000000 0000000000000000 : USER32!UserCallWinProcCheckWow+0x1ad 00000000010aea40 00000000777e6829 : 000007fee012c2f8 000007fedfe99662 0000000001220760 0000000001217a78 : USER32!DispatchClientMessage+0xc3 00000000010aeaa0 0000000077a3dae5 : 0000000000242288 00000000777e89fc 00010a7e00000012 000007fedff75731 : USER32!_fnDWORD+0x2d 00000000010aeb00 00000000777e6e5a : 00000000777e6e6c 0000000000000000 0000000001217a20 0000000001217a78 : ntdll!KiUserCallbackDispatcherContinue 00000000010aeb88 00000000777e6e6c : 0000000000000000 0000000001217a20 0000000001217a78 000007fedffb10e8 : USER32!NtUserDispatchMessage+0xa 00000000010aeb90 000007fedffb0fb6 : 0000000001217a78 0000000001217a78 000007fedfe80a24 0000000000000000 : USER32!DispatchMessageWorker+0x55b 00000000010aec10 000007fedffb180e : 0000000140027800 000000013fbb0000 0000000000000000 0000000000000000 : mfc120u!AfxInternalPumpMessage+0x52 00000000010aec40 000000013fd0d1b1 : 0000000140027800 000000013fbb0000 0000000000000000 000000000327cfd0 : mfc120u!CWinThread::Run+0x6e 00000000010aec80 000007fedffe00de : 000000000000000a 000000000000000a 0000000000000000 00000000011c3cda : NitroPDF!CxMemFile::Scanf+0xb11b1 00000000010af780 000000013fe421a6 : 0000000000000001 0000000000000000 0000000000000000 000000000000001f : mfc120u!AfxWinMain+0xa6 00000000010af7c0 00000000778e59cd : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : NitroPDF!CxImageJPG::CxExifInfo::process_SOFn+0x71d96 00000000010af800 0000000077a1b891 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0xd 00000000010af830 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x1d

STACK_COMMAND: .cxr 0x0 ; kb

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: npdf!CxImagePNG::user_write_data+6f9ed

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: npdf

IMAGE_NAME: npdf.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 5791f671

FAILURE_BUCKET_ID: INVALID_POINTER_READ_BEFORE_CALL_c0000005_npdf.dll!CxImagePNG::user_write_data

BUCKET_ID: X64_APPLICATION_FAULT_INVALID_POINTER_READ_BEFORE_CALL_DETOURED_npdf!CxImagePNG::user_write_data+6f9ed

ANALYSIS_SOURCE: UM

FAILURE_ID_HASH_STRING: um:invalid_pointer_read_before_call_c0000005_npdf.dll!cximagepng::user_write_data

FAILURE_ID_HASH: {9259797b-1f8a-810e-e51b-4b58c1281c24}

Followup: MachineOwner

```

Timeline

  • 2016-10-13 - Initial Discovery
  • 2016-10-24 - Vendor Notification
  • 2017-02-03 - Public Disclosure

CREDIT

  • Discovered by Piotr Bania of Cisco Talos.