Vulnerabilities > CVE-2016-8709 - Out-of-bounds Write vulnerability in Gonitro Nitro PDF PRO 10.5.5.9/10.5.9.9

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
gonitro
CWE-787

Summary

A remote out of bound write / memory corruption vulnerability exists in the PDF parsing functionality of Nitro Pro 10. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific PDF file to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
Application
Gonitro
2

Common Weakness Enumeration (CWE)

Seebug

bulletinFamilyexploit
description### Summary A remote out of bound write / memory corruption vulnerability exists in the PDF parsing functionality of Nitro Pro 10. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific PDF file to trigger this vulnerability. ### Tested Versions Nitro Pro 10.5.9.9 (Nitro PDF Library - 10, 5, 9, 9) - x64 version ### Product URLs http://gonitro.com ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### Details An remote memory corruption vulnerability exists in the PDF parsing functionality of Nitro Pro. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. Vulnerable code is located in the npdf.dll library: ``` .text:000000000011B3F8 mov eax, edx .text:000000000011B3FA lea rcx, [rax+rax*2] .text:000000000011B3FE lea r8, ds:0[rcx*8] .text:000000000011B406 mov r9, [rsp+5B8h+var_570] .text:000000000011B40B mov rax, [r9+60h] .text:000000000011B40F mov [r8+rax], rsi ; memory corruption .text:000000000011B413 mov rax, [r9+60h] .text:000000000011B417 mov [r8+rax+8], edx .text:000000000011B41C inc edx .text:000000000011B41E cmp edx, ebx .text:000000000011B420 jnb short loc_11B453 .text:000000000011B422 lea rcx, [rdx+rdx*2] .text:000000000011B426 shl rcx, 3 .text:000000000011B42A mov eax, ebx .text:000000000011B42C sub eax, edx .text:000000000011B42E mov edx, eax ``` The r8 value at 0x000000000011B40F can be partially controlled by the data in the malformed PDF file. ### Crash Information ``` 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for J:\nitro\plug_ins\NPRedaction.npp *** ERROR: Symbol file could not be found. Defaulted to export symbols for J:\nitro\plug_ins\NPRedaction.npp - *** ERROR: Symbol file could not be found. Defaulted to export symbols for NitroPDF.exe - FAULTING_IP: npdf!TerminateApp+54caf 000007fe`d61fb40f 49893400 mov qword ptr [r8+rax],rsi EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 000007fed61fb40f (npdf!TerminateApp+0x0000000000054caf) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 000000180f1212a8 Attempt to write to address 000000180f1212a8 CONTEXT: 0000000000000000 -- (.cxr 0x0;r) rax=000000000f121320 rbx=0000000000000000 rcx=00000002fffffff1 rdx=00000000fffffffb rsi=0409002400000000 rdi=0407002300000000 rip=000007fed61fb40f rsp=000000000110bad0 rbp=000007fed6a19b28 r8=00000017ffffff88 r9=000007fed6e179f0 r10=0000000000000005 r11=000000000110bbf0 r12=000000000000003b r13=000007fed6e179f0 r14=0000000000000005 r15=0000000005520b9a iopl=0 nv up ei ng nz ac po cy cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297 npdf!TerminateApp+0x54caf: 000007fe`d61fb40f 49893400 mov qword ptr [r8+rax],rsi ds:00000018`0f1212a8=???????????????? FAULTING_THREAD: 000000000000e4d4 DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE PROCESS_NAME: NitroPDF.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 000000180f1212a8 WRITE_ADDRESS: 000000180f1212a8 FOLLOWUP_IP: npdf!TerminateApp+54caf 000007fe`d61fb40f 49893400 mov qword ptr [r8+rax],rsi DETOURED_IMAGE: 1 NTGLOBALFLAG: 470 APPLICATION_VERIFIER_FLAGS: 0 APP: nitropdf.exe ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE LAST_CONTROL_TRANSFER: from 000007fed62026b7 to 000007fed61fb40f STACK_TEXT: 00000000`0110bad0 000007fe`d62026b7 : 00000000`00000000 00000000`0d5c5d80 00000000`0d5c5d80 000007fe`d6215cca : npdf!TerminateApp+0x54caf 00000000`0110c090 000007fe`d3883f08 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : npdf!TerminateApp+0x5bf57 00000000`0110c0e0 000007fe`d3893454 : 04090004`00000000 00000000`0d5b79d0 00000001`3f350000 000007fe`d6e179f0 : NPRedaction+0x3f08 00000000`0110c580 00000001`3f48daf4 : 00000000`0110d780 00000000`0110d780 00000001`3f350000 00000000`00000000 : NPRedaction+0x13454 00000000`0110ca10 00000001`3f4a198a : 00000000`00000000 00000000`0110d3d0 00000000`016d04d6 00000000`0d5d2220 : NitroPDF!CxMemFile::Scanf+0x91af4 00000000`0110d2e0 00000001`3f46f27b : 00000000`00000000 000007fe`000003ed 00000000`0d5b79d0 00000000`0000001e : NitroPDF!CxMemFile::Scanf+0xa598a 00000000`0110d760 000007fe`e2289079 : 00000000`0000054c 000007fe`e2275140 00000000`0110d8e0 000007fe`e2020000 : NitroPDF!CxMemFile::Scanf+0x7327b 00000000`0110d7e0 000007fe`e2288a68 : 00000000`0d5b87b0 00000000`00000000 00000000`00000000 00000000`00000000 : mfc120u!CWnd::OnWndMsg+0x5dd 00000000`0110d960 000007fe`e2286422 : 00000000`00000000 00000000`01237a20 00000000`00000000 00000000`0d5b87b0 : mfc120u!CWnd::WindowProc+0x38 00000000`0110d9a0 000007fe`e2289c8a : 00000000`00000000 00000000`016d04d6 00000000`016d04d6 000007fe`e223763e : mfc120u!AfxCallWndProc+0x10e 00000000`0110da50 000007fe`e2298364 : 00000000`0d5b7ef0 00000000`00000364 00000000`00000000 000007fe`e2220107 : mfc120u!CWnd::SendMessageToDescendants+0x5e 00000000`0110daa0 000007fe`e2228d4e : 00000000`00000001 00000000`0110db70 00000000`04ce4d80 00000000`00000001 : mfc120u!CFrameWnd::InitialUpdateFrame+0x94 00000000`0110daf0 000007fe`e2228815 : 00000000`00000000 00000000`0110dc40 00000000`04ce4d80 00000000`04ce4d80 : mfc120u!CMultiDocTemplate::OpenDocumentFile+0x176 00000000`0110db40 00000001`3f49159f : 00000000`00000002 00000000`00000001 00000000`00000002 00000000`00000008 : mfc120u!CDocManager::OpenDocumentFile+0x249 00000000`0110e1f0 00000001`3f4ac227 : 00000000`00000002 00000000`00000000 00000000`00000000 00000000`00000002 : NitroPDF!CxMemFile::Scanf+0x9559f 00000000`0110e6e0 00000001`3f4a745f : 00000000`0d5a2860 00000000`04474740 00000001`3f7c7800 00000000`05981be0 : NitroPDF!CxMemFile::Scanf+0xb0227 00000000`0110ea20 000007fe`e22a00ae : 00000000`0000000a 00000000`0000000a 00000000`00000000 00000000`011e3cda : NitroPDF!CxMemFile::Scanf+0xab45f 00000000`0110f810 00000001`3f5e21a6 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`0000001f : mfc120u!AfxWinMain+0x76 00000000`0110f850 00000000`778e59cd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : NitroPDF!CxImageJPG::CxExifInfo::process_SOFn+0x71d96 00000000`0110f890 00000000`77a1b891 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd 00000000`0110f8c0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d STACK_COMMAND: .cxr 0x0 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: npdf!TerminateApp+54caf FOLLOWUP_NAME: MachineOwner MODULE_NAME: npdf IMAGE_NAME: npdf.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5791f671 FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_npdf.dll!TerminateApp BUCKET_ID: X64_APPLICATION_FAULT_INVALID_POINTER_WRITE_DETOURED_npdf!TerminateApp+54caf ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_npdf.dll!terminateapp FAILURE_ID_HASH: {e22288fd-1433-d655-c9af-fd0a8c2f56f0} Followup: MachineOwner --------- ``` ### Timeline * 2016-09-30 - Initial Discovery * 2016-10-13 - Vendor Notification * 2017-02-03 - Public Disclosure ### CREDIT * Discovered by Piotr Bania of Cisco Talos.
idSSV:96580
last seen2017-11-19
modified2017-09-26
published2017-09-26
reporterRoot
titleNitro Pro PDF Handling Code Execution Vulnerability(CVE-2016-8709)

Talos

idTALOS-2016-0218
last seen2019-05-29
published2017-02-03
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0218
titleNitro Pro PDF Handling Code Execution Vulnerability