Nitro PDF Reader 1.4.0 Remote Heap Memory Corruption / DoS PoC

Vendor: Nitro PDF, Inc., Nitro PDF Pty Ltd.
Product web page: http://www.nitroreader.com
Affected version: 1.4.0.11

Summary: Nitro PDF Reader, free, fast, powerfull and secure.
Create PDF files, comment and review, save PDF forms, extract
text and images, type text directly onto the page, and more.

Desc: The program suffers from a heap corruption vulnerability
which can be exploited by malicious people to cause a denial of
service and potentially compromise a vulnerable system. The
vulnerability is caused when processing malicious PDF file which
triggers a heap corruption state resulting in a crash.

--------------------------------------------------------------

(bc8.b54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0023f72c ebx=097e9c48 ecx=baadf00d edx=015ee620 esi=097e9c48 edi=097e1da0
eip=01604b77 esp=0023f708 ebp=00000000 iopl=0         nv up ei ng nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010282
Defaulted to export symbols for C:\Program Files\Nitro PDF\Reader\npdf.dll -
npdf!ProvideCoreHFT+0x170517:
01604b77 8b01            mov     eax,dword ptr [ecx]  ds:0023:baadf00d=????????

--------------------------------------------------------------

Tested on: MS Windows XP Pro SP3 (en)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com

Advisory ID: ZSL-2011-4999
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4999.php

21.02.2011

--------

PoC:
http://www.exploit-db.com/sploits/nitropdf_poc.rar
http://www.zeroscience.mk/codes/nitropdf_poc.rar

--------