Nitro PDF Reader 1.4.0 Remote Heap Memory Corruption / DoS PoC

Title: Nitro PDF Reader 1.4.0 Remote Heap Memory Corruption / DoS PoC
Advisory ID: ZSL-2011-4999
Type: Local/Remote
Impact: System Access, DoS
Risk: (3/5)
Release Date: 26.02.2011
Summary
Nitro PDF Reader, free, fast, powerfull and secure. Create PDF files, comment and review, save PDF forms, extract text and images, type text directly onto the page, and more.
Description
The program suffers from a heap corruption vulnerability which can be exploited by malicious people to cause a denial of service and potentially compromise a vulnerable system. The vulnerability is caused when processing malicious PDF file which triggers a heap corruption state resulting in a crash.

--------------------------------------------------------------------------------

(bc8.b54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0023f72c ebx=097e9c48 ecx=baadf00d edx=015ee620 esi=097e9c48 edi=097e1da0
eip=01604b77 esp=0023f708 ebp=00000000 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282
Defaulted to export symbols for C:\Program Files\Nitro PDF\Reader\npdf.dll -
npdf!ProvideCoreHFT+0x170517:
01604b77 8b01 mov eax,dword ptr [ecx] ds:0023:baadf00d=????????

--------------------------------------------------------------------------------

Vendor
Nitro PDF, Inc., Nitro PDF Pty Ltd. - http://www.nitroreader.com
Affected Version
1.4.0.11
Tested On
Microsoft Windows XP Professional SP3 (EN)
Vendor Status
N/A
PoC
nitropdf_dos.txt
nitropdf_poc.rar
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://packetstormsecurity.org/files/98742
[2] http://securityreason.com/exploitalert/10057
[3] http://www.exploit-db.com/exploits/16254/
[4] http://www.securityfocus.com/bid/46580
Changelog
[26.02.2011] - Initial release
[28.02.2011] - Added reference [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk