eXPert PDF Reader 4.0 NULL Pointer Dereference and Heap Corruption Denial Of Service

Title: eXPert PDF Reader 4.0 NULL Pointer Dereference and Heap Corruption Denial Of Service
Advisory ID: ZSL-2011-5000
Type: Local/Remote
Impact: System Access, DoS
Risk: (3/5)
Release Date: 26.02.2011
Summary
eXPert PDF Reader is a free pdf viewer software that lets you view and print pdf documents on windows operating systems.
Description
The vulnerability is caused due to a NULL pointer dereference when processing malicious Printer Job (.pj) files and can be exploited to crash the application and cause a heap corruption and denial of service scenarios.

--------------------------------------------------------------------------------

HEAP[vspdfreader.exe]: Invalid allocation size - 82828290 (exceeded 7ffdefff)
(77c.d48): Unknown exception - code 0eedfade (first chance)
(77c.d48): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=02d7a188 ecx=00bd311c edx=00000002 esi=00000002 edi=0012fe24
eip=00446cc9 esp=0012fb6c ebp=0012fb84 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210297
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x46cc9:
00446cc9 8b04b0 mov eax,dword ptr [eax+esi*4] ds:0023:00000009=????????

image00400000+0x46cc9:
00446cc9 8b04b0 mov eax,dword ptr [eax+esi*4]
00446ccc 5e pop esi
00446ccd 5b pop ebx
00446cce c3 ret
00446ccf 90 nop
00446cd0 8bc8 mov ecx,eax
00446cd2 b201 mov dl,1
00446cd4 a1f48d4300 mov eax,dword ptr [image00400000+0x38df4 (00438df4)]

image00400000+0x38df4:
00438df4 4c dec esp
00438df5 8e4300 mov es,word ptr [ebx]
00438df8 0000 add byte ptr [eax],al
00438dfa 0000 add byte ptr [eax],al
00438dfc 0000 add byte ptr [eax],al
00438dfe 0000 add byte ptr [eax],al
00438e00 0000 add byte ptr [eax],al
00438e02 0000 add byte ptr [eax],al

--------------------------------------------------------------------------------

Vendor
Visagesoft - http://www.visagesoft.com
Affected Version
4.0.210
Tested On
Microsoft Windows XP Professional SP3 (EN)
Vendor Status
N/A
PoC
expertpdf_null.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://packetstormsecurity.org/files/98744
[2] http://securityreason.com/exploitalert/10056
[3] http://www.exploit-db.com/exploits/16248/
[4] http://www.securityfocus.com/bid/46583
Changelog
[26.02.2011] - Initial release
[28.02.2011] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk