Foxit PDF Reader (formerly Foxit Reader) is a multilingual freemium PDF (Portable Document Format) tool that can create, view, edit, digitally sign, and print PDF files. Early versions of Foxit Reader were notable for startup performance and small file size. The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting, and drawing. Foxit PDF Reader also includes an Enterprise version, which requires a Foxit account.
Foxit PhantomPDF / Reader version 10.0.0.35798 vulnerable to out-of-bound write vulnerability. An exploitable vulnerability exists in the safe_vsnprintf function of FoxitReader.exe when parsing specially crafted PDF file that leads to a out-of-bounds write, resulting in direct code execution. This vulnerability was found via file format fuzzing. The vulnerability has been fixed by Foxit Security Team with the release version 10.1.
An exploitable out-of-bounds write vulnerability exists due to an error in the safe_vsnprintf function when handling a maliciously crafted PDF file. A remote attacker may be able to exploit this to execute arbitrary code within the context of the application, via a crafted PDF file. A specially crafted PDF document can trigger an out-of-bounds write, which can disclose sensitive memory content or even write and aid in exploitation when coupled with another vulnerability. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
The issue has been confirmed to affect the Foxit PhantomPDF and Foxit Reader. We believe the earlier version affected too, but haven’t tested until this time. Following are the tested versions:
- Foxit PhantomPDF 10.0.0.35798 - Foxit Reader 10.0.0.35798
The OOB issue exists when handling /Domain attributes, with a special bytes that caused the exception:
Following are the exception when failed to handle the specially crafted PDF document:
(371c.de4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe - eax=00000000 ebx=b0ca8f10 ecx=2c32902e edx=005eb1a8 esi=2c32a3c4 edi=005f0000 eip=02adcd81 esp=005eb0e0 ebp=005eb0f0 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202 FoxitReader!safe_vsnprintf+0x3f3051: 02adcd81 f3ab rep stos dword ptr es:[edi]
Analysing the last crash path found that the OOB happened when it attempted to perform write in memory by leveraging the function safe_vsnprintf. This function basically failed to perform some checks that allowed it to write outside the memory range. This can be observe:
0:000> .exr -1 ExceptionAddress: 02adcd81 (FoxitReader!safe_vsnprintf+0x003f3051) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter: 00000001 Parameter: 005f0000 Attempt to write to address 005f0000 0:000> dc 005f0000 005f0000 78746341 00000020 00000001 0000331c Actx ........3.. 005f0010 000000dc 00000000 00000020 00000000 ........ ....... 005f0020 00000014 00000001 00000007 00000034 ............4...
The root cause of the issue is when creating a memory device context (DC) compatible with the specified device. Then it tries to retrieve the bits of the specified compatible bitmap and copies them into a buffer as a DIB using the specified format. The initial root cause:
Then it performed a memory set and called the function call_to_check. This function is responsible for the memory set and when the writes are written out of the bound, it triggers a crash. Crash path:
0:000> !exploitable -v !exploitable 220.127.116.11 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0xd00000 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Exception Hash (Major/Minor): 0xd38b80f4.0x11c44483 Hash Usage : Stack Trace: Major+Minor : FoxitReader!safe_vsnprintf+0x3f3051 Major+Minor : FoxitReader!safe_vsnprintf+0x1e6c63 Instruction Address: 0x0000000002adcd81 Description: Exception Handler Chain Corrupted Short Description: ExceptionHandlerCorrupted Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at FoxitReader!safe_vsnprintf+0x00000000003f3051 (Hash=0xd38b80f4.0x11c44483) Corruption of the exception handler chain is considered exploitable
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_AVRF DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE_EXPLOITABLE_AVRF PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT LAST_CONTROL_TRANSFER: from 028d0993 to 02adcd81 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 00cfb600 028d0993 00cfb6b4 00000000 b0ca8f14 FoxitReader!safe_vsnprintf+0x3f3051 00cfbb10 00000000 00000000 00000000 00000000 FoxitReader!safe_vsnprintf+0x1e6c63 --------- 0:000> lmvm FoxitReader Browse full module list start end module name 00f70000 06c75000 FoxitReader (export symbols) C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe Loaded symbol image file: C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe Image path: C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe Image name: FoxitReader.exe Browse all global symbols functions data Timestamp: Wed Apr 29 18:19:57 2020 (5EA954CD) CheckSum: 05C0F4E9 ImageSize: 05D05000 File version: 10.0.0.35798 Product version: 10.0.0.35798 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0000.04b0 CompanyName: Foxit Software Inc. ProductName: Foxit Reader InternalName: Foxit Reader.exe OriginalFilename: Foxit Reader.EXE ProductVersion: 10.0.0.35798 FileVersion: 10.0.0.35798 PrivateBuild: 10.0.0.35798 SpecialBuild: 10.0.0.35798 FileDescription: Foxit Reader 10.0 LegalCopyright: Copyright © 2004-2020 Foxit Software Inc. All Rights Reserved. LegalTrademarks: Copyright © 2004-2020 Foxit Software Inc. All Rights Reserved. Comments: Copyright © 2004-2020 Foxit Software Inc. All Rights Reserved.
This bug was discovered back in 2020 and reported to Foxit Security team. The vulnerability has been fixed with the latest version. Greetz Yeh and Fakhrie for this bug :)