Vulnerabilities > CVE-2016-8711 - Unspecified vulnerability in Gonitro Nitro PDF PRO 10.5.5.9/10.5.9.9

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
gonitro
NVD
Published: 2017-02-10
Updated: 2022-12-13

Summary

A potential remote code execution vulnerability exists in the PDF parsing functionality of Nitro Pro 10. A specially crafted PDF file can cause a vulnerability resulting in potential code execution. An attacker can send the victim a specific PDF file to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
Application
Gonitro
2

Seebug

bulletinFamilyexploit
description### Summary A potential remote code execution vulnerability exists in the PDF parsing functionality of Nitro Pro 10. A specially crafted PDF file can cause a vulnerability resulting in potential code execution. An attacker can send the victim a specific PDF file to trigger this vulnerability. ### Tested Versions Nitro Pro 10.5.9.9 (Nitro PDF Library - 10, 5, 9, 9) - x64 version ### Product URLs http://gonitro.com ### CVSSv3 Score 9.3 - AV:N/AC:M/Au:N/C:C/I:C/A:C ### Details An potential remote code execution vulnerability exists in the PDF parsing functionality of Nitro Pro. A specially crafted PDF file can cause a vulnerability resulting in potential code execution. Vulnerable code is located in the npdf.dll library: ``` 000007fe`d6f611b0 488b4318 mov rax,qword ptr [rbx+18h] 000007fe`d6f611b4 488b0cf8 mov rcx,qword ptr [rax+rdi*8] 000007fe`d6f611b8 4885c9 test rcx,rcx 000007fe`d6f611bb 740a je npdf!CxImagePNG::user_write_data+0x6f9f7 000007fe`d6f611c7) 000007fe`d6f611bd 488b01 mov rax,qword ptr [rcx] ds:baadf00d`baadf00d=???????????????? 000007fe`d6f611c0 ba01000000 mov edx,1 000007fe`d6f611c5 ff10 call qword ptr [rax] ``` Instruction at 7fed6f611bd references malformed/unintialized memory region. This memory area can be later used by call instruction which calls subroutine located at the pointer provided by malformed memory. ### Crash Information ``` 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for J:\nitro\Nitro_KissMetrics.dll - FAULTING_IP: npdf!CxImagePNG::user_write_data+6f9ed 000007fe`d6f611bd 488b01 mov rax,qword ptr [rcx] EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 000007fed6f611bd (npdf!CxImagePNG::user_write_data+0x000000000006f9ed) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: ffffffffffffffff Attempt to read from address ffffffffffffffff CONTEXT: 0000000000000000 -- (.cxr 0x0;r) rax=000000000e120650 rbx=000000000de70df0 rcx=baadf00dbaadf00d rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000001 rip=000007fed6f611bd rsp=00000000010aae90 rbp=00000000010ab060 r8=0000000000000000 r9=00000000000000fe r10=0000000050000163 r11=00000000010aab78 r12=0000000000005000 r13=0000000000000000 r14=0000000000000000 r15=000000000de70df0 iopl=0 nv up ei ng nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010282 npdf!CxImagePNG::user_write_data+0x6f9ed: 000007fe`d6f611bd 488b01 mov rax,qword ptr [rcx] ds:baadf00d`baadf00d=???????????????? FAULTING_THREAD: 0000000000011cfc PROCESS_NAME: NitroPDF.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: ffffffffffffffff READ_ADDRESS: ffffffffffffffff FOLLOWUP_IP: npdf!CxImagePNG::user_write_data+6f9ed 000007fe`d6f611bd 488b01 mov rax,qword ptr [rcx] DETOURED_IMAGE: 1 NTGLOBALFLAG: 470 APPLICATION_VERIFIER_FLAGS: 0 APP: nitropdf.exe ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_BEFORE_CALL PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_BEFORE_CALL DEFAULT_BUCKET_ID: INVALID_POINTER_READ_BEFORE_CALL LAST_CONTROL_TRANSFER: from 000007fed6f613d4 to 000007fed6f611bd STACK_TEXT: 00000000`010aae90 000007fe`d6f613d4 : 00000000`0de70df0 00000000`00000001 ffffffff`fffffffe 00000000`00000000 : npdf!CxImagePNG::user_write_data+0x6f9ed 00000000`010aaed0 000007fe`d6f69a3a : 00000000`010ab250 00000000`00000000 00000000`00000000 00000000`00000000 : npdf!CxImagePNG::user_write_data+0x6fc04 00000000`010aaf00 000007fe`d6f685f3 : 00000000`010ab250 00000000`00000000 00000000`010ab250 00000000`05c947f0 : npdf!CxImagePNG::user_write_data+0x7826a 00000000`010ab100 000007fe`d6f61615 : 00000000`00000000 000007fe`00000c22 00000000`00000000 00000000`00000000 : npdf!CxImagePNG::user_write_data+0x76e23 00000000`010ab180 000007fe`d6f60a25 : 00000000`0df0dde0 00000000`010ab250 00000000`010ab930 00000000`00000000 : npdf!CxImagePNG::user_write_data+0x6fe45 00000000`010ab1c0 000007fe`d6f61686 : 00000000`0db90230 00000000`010ab980 00000000`00000000 00000000`010ab3d0 : npdf!CxImagePNG::user_write_data+0x6f255 00000000`010ab220 000007fe`d6d4bc7d : 00000000`00000000 00000000`045c8ff2 00000000`010ab400 000007fe`d7804018 : npdf!CxImagePNG::user_write_data+0x6feb6 00000000`010ab360 000007fe`d6d4b5f4 : 04040368`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : npdf!CxImage::~CxImage+0x8774d 00000000`010ab3f0 000007fe`d6c8630f : 00000000`010ab930 04080369`00000000 04060358`00000000 00000000`0f2a6d60 : npdf!CxImage::~CxImage+0x870c4 00000000`010ab8f0 000007fe`d6c8619a : 04080369`00000000 000007fe`d7804018 00000000`00000000 00000000`0f2a6d60 : npdf!TerminateApp+0xcfbaf 00000000`010aba10 000007fe`d6c85ef3 : 04090348`00000000 00000000`00000038 04080369`00000000 000007fe`d7804018 : npdf!TerminateApp+0xcfa3a 00000000`010abb30 000007fe`d6bdbc2b : 00000000`0ddb3040 04090348`00000000 00000000`00000002 000007fe`d7804018 : npdf!TerminateApp+0xcf793 00000000`010abb90 000007fe`d6bdb5fb : 04090348`00000000 04080369`00000000 00000000`0ddb3040 00000000`50000163 : npdf!TerminateApp+0x254cb 00000000`010abbf0 000007fe`d6c8f045 : 00000000`00000000 00000000`0dbe1d60 04090348`00000000 00000000`40000062 : npdf!TerminateApp+0x24e9b 00000000`010abc20 000007fe`d6c8cb6c : 00000000`011c0000 00000000`0de0fc50 00000000`00000000 00000000`00000030 : npdf!TerminateApp+0xd88e5 00000000`010ac0b0 000007fe`d6c8fcb4 : 00000000`0de0fc50 04090067`00000000 00000000`010ac5b0 00000000`00000000 : npdf!TerminateApp+0xd640c 00000000`010ac530 000007fe`d6cd64a1 : 00000000`0125f840 00000000`0de0fc50 00000000`00000000 00000000`77a5828f : npdf!TerminateApp+0xd9554 00000000`010ac570 000007fe`d6cf7a0e : 00000000`0ddac760 00000000`0f4b534e 00000000`00000000 000007fe`d6b00000 : npdf!CxImage::~CxImage+0x11f71 00000000`010aca00 000007fe`d6cdb70e : 00000000`0dd7d140 00000000`0dd7d140 00000000`0ddac760 00000000`0dbe7be0 : npdf!CxImage::~CxImage+0x334de 00000000`010acf10 000007fe`d6c23752 : 00000000`0ddac760 00000000`045c8040 0409004f`00000000 00000000`0db6f5a0 : npdf!CxImage::~CxImage+0x171de 00000000`010ad440 000007fe`d6c24d45 : 00000000`0db6f3b0 000007fe`fedf6a47 00000000`00000000 000007fe`fedf6941 : npdf!TerminateApp+0x6cff2 00000000`010ad9d0 00000001`3fcc9bbc : 00000000`00000000 00000000`0db6f3b0 00000000`010ae780 00000000`0db6f3b0 : npdf!TerminateApp+0x6e5e5 00000000`010ada20 00000001`3fccec72 : 00000000`0db69570 00000000`00000404 00000000`0db69ae8 00000000`010ae780 : NitroPDF!CxMemFile::Scanf+0x6dbbc 00000000`010ae110 000007fe`dffb4b26 : 00000000`010ae5f0 00000000`0e070009 00000000`0db69570 00000000`000000d0 : NitroPDF!CxMemFile::Scanf+0x72c72 00000000`010ae5c0 000007fe`dffc9079 : 00000000`0000020d 00000000`010ae780 00000000`00000000 00000000`00000001 : mfc120u!CView::OnPaint+0x5a 00000000`010ae680 000007fe`dffc8a68 : 00000000`0db69570 00000000`00000000 00000000`00000000 00000000`00000000 : mfc120u!CWnd::OnWndMsg+0x5dd 00000000`010ae800 000007fe`dffc6422 : 00000000`00000000 00000000`01217a20 00000000`00000000 00000000`0db69570 : mfc120u!CWnd::WindowProc+0x38 00000000`010ae840 000007fe`dffc67a4 : 00000000`0000000f 00000000`01d60ea6 00000000`010ae958 000007fe`dffe0538 : mfc120u!AfxCallWndProc+0x10e 00000000`010ae8f0 000007fe`dfe80a75 : 00000000`00000000 00000000`01d60ea6 00000000`0000000f 000007fe`dffc8a68 : mfc120u!AfxWndProc+0x54 00000000`010ae930 00000000`777e9bd1 : 00000000`00000000 00000001`3fbb0000 00000000`00000000 00000000`01217a20 : mfc120u!AfxWndProcBase+0x51 00000000`010ae980 00000000`777e72cb : 00000000`00000000 000007fe`dfe80a24 00000000`00000000 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x1ad 00000000`010aea40 00000000`777e6829 : 000007fe`e012c2f8 000007fe`dfe99662 00000000`01220760 00000000`01217a78 : USER32!DispatchClientMessage+0xc3 00000000`010aeaa0 00000000`77a3dae5 : 00000000`00242288 00000000`777e89fc 00010a7e`00000012 000007fe`dff75731 : USER32!_fnDWORD+0x2d 00000000`010aeb00 00000000`777e6e5a : 00000000`777e6e6c 00000000`00000000 00000000`01217a20 00000000`01217a78 : ntdll!KiUserCallbackDispatcherContinue 00000000`010aeb88 00000000`777e6e6c : 00000000`00000000 00000000`01217a20 00000000`01217a78 000007fe`dffb10e8 : USER32!NtUserDispatchMessage+0xa 00000000`010aeb90 000007fe`dffb0fb6 : 00000000`01217a78 00000000`01217a78 000007fe`dfe80a24 00000000`00000000 : USER32!DispatchMessageWorker+0x55b 00000000`010aec10 000007fe`dffb180e : 00000001`40027800 00000001`3fbb0000 00000000`00000000 00000000`00000000 : mfc120u!AfxInternalPumpMessage+0x52 00000000`010aec40 00000001`3fd0d1b1 : 00000001`40027800 00000001`3fbb0000 00000000`00000000 00000000`0327cfd0 : mfc120u!CWinThread::Run+0x6e 00000000`010aec80 000007fe`dffe00de : 00000000`0000000a 00000000`0000000a 00000000`00000000 00000000`011c3cda : NitroPDF!CxMemFile::Scanf+0xb11b1 00000000`010af780 00000001`3fe421a6 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`0000001f : mfc120u!AfxWinMain+0xa6 00000000`010af7c0 00000000`778e59cd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : NitroPDF!CxImageJPG::CxExifInfo::process_SOFn+0x71d96 00000000`010af800 00000000`77a1b891 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd 00000000`010af830 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d STACK_COMMAND: .cxr 0x0 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: npdf!CxImagePNG::user_write_data+6f9ed FOLLOWUP_NAME: MachineOwner MODULE_NAME: npdf IMAGE_NAME: npdf.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5791f671 FAILURE_BUCKET_ID: INVALID_POINTER_READ_BEFORE_CALL_c0000005_npdf.dll!CxImagePNG::user_write_data BUCKET_ID: X64_APPLICATION_FAULT_INVALID_POINTER_READ_BEFORE_CALL_DETOURED_npdf!CxImagePNG::user_write_data+6f9ed ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_read_before_call_c0000005_npdf.dll!cximagepng::user_write_data FAILURE_ID_HASH: {9259797b-1f8a-810e-e51b-4b58c1281c24} Followup: MachineOwner --------- ``` ### Timeline * 2016-10-13 - Initial Discovery * 2016-10-24 - Vendor Notification * 2017-02-03 - Public Disclosure ### CREDIT * Discovered by Piotr Bania of Cisco Talos.
idSSV:96579
last seen2017-11-19
modified2017-09-26
published2017-09-26
reporterRoot
titleNitro Pro 10 PDF Handling Code Execution Vulnerability(CVE-2016-8711)

Talos

idTALOS-2016-0224
last seen2019-05-29
published2017-02-03
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0224
titleNitro Pro 10 PDF Handling Code Execution Vulnerability

References