Overview
Foxit PDF Reader (formerly Foxit Reader) is a multilingual freemium PDF (Portable Document Format) tool that can create, view, edit, digitally sign, and print PDF files. Early versions of Foxit Reader were notable for startup performance and small file size. The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting, and drawing. Foxit PDF Reader also includes an Enterprise version, which requires a Foxit account.
Foxit PhantomPDF / Reader version 10.0.0.35798 vulnerable to out-of-bound write vulnerability. An exploitable vulnerability exists in the safe_vsnprintf function of FoxitReader.exe when parsing specially crafted PDF file that leads to a out-of-bounds write, resulting in direct code execution. This vulnerability was found via file format fuzzing. The vulnerability has been fixed by Foxit Security Team with the release version 10.1.
Vulnerability Analysis
An exploitable out-of-bounds write vulnerability exists due to an error in the safe_vsnprintf function when handling a maliciously crafted PDF file. A remote attacker may be able to exploit this to execute arbitrary code within the context of the application, via a crafted PDF file. A specially crafted PDF document can trigger an out-of-bounds write, which can disclose sensitive memory content or even write and aid in exploitation when coupled with another vulnerability. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
The issue has been confirmed to affect the Foxit PhantomPDF and Foxit Reader. We believe the earlier version affected too, but haven’t tested until this time. Following are the tested versions:
- Foxit PhantomPDF 10.0.0.35798
- Foxit Reader 10.0.0.35798
The OOB issue exists when handling /Domain attributes, with a special bytes that caused the exception: 
Following are the exception when failed to handle the specially crafted PDF document:
(371c.de4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe -
eax=00000000 ebx=b0ca8f10 ecx=2c32902e edx=005eb1a8 esi=2c32a3c4 edi=005f0000
eip=02adcd81 esp=005eb0e0 ebp=005eb0f0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
FoxitReader!safe_vsnprintf+0x3f3051:
02adcd81 f3ab rep stos dword ptr es:[edi]
Analysing the last crash path found that the OOB happened when it attempted to perform write in memory by leveraging the function safe_vsnprintf. This function basically failed to perform some checks that allowed it to write outside the memory range. This can be observe:
0:000> .exr -1
ExceptionAddress: 02adcd81 (FoxitReader!safe_vsnprintf+0x003f3051)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 005f0000
Attempt to write to address 005f0000
0:000> dc 005f0000
005f0000 78746341 00000020 00000001 0000331c Actx ........3..
005f0010 000000dc 00000000 00000020 00000000 ........ .......
005f0020 00000014 00000001 00000007 00000034 ............4...
The root cause of the issue is when creating a memory device context (DC) compatible with the specified device. Then it tries to retrieve the bits of the specified compatible bitmap and copies them into a buffer as a DIB using the specified format. The initial root cause:
Then it performed a memory set and called the function call_to_check. This function is responsible for the memory set and when the writes are written out of the bound, it triggers a crash. Crash path:
Exploitable result:
0:000> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xd00000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Exception Hash (Major/Minor): 0xd38b80f4.0x11c44483
Hash Usage : Stack Trace:
Major+Minor : FoxitReader!safe_vsnprintf+0x3f3051
Major+Minor : FoxitReader!safe_vsnprintf+0x1e6c63
Instruction Address: 0x0000000002adcd81
Description: Exception Handler Chain Corrupted
Short Description: ExceptionHandlerCorrupted
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at FoxitReader!safe_vsnprintf+0x00000000003f3051 (Hash=0xd38b80f4.0x11c44483)
Corruption of the exception handler chain is considered exploitable
Crash analysis:
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_AVRF
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE_EXPLOITABLE_AVRF
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 028d0993 to 02adcd81
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
00cfb600 028d0993 00cfb6b4 00000000 b0ca8f14 FoxitReader!safe_vsnprintf+0x3f3051
00cfbb10 00000000 00000000 00000000 00000000 FoxitReader!safe_vsnprintf+0x1e6c63
---------
0:000> lmvm FoxitReader
Browse full module list
start end module name
00f70000 06c75000 FoxitReader (export symbols) C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe
Loaded symbol image file: C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe
Image path: C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe
Image name: FoxitReader.exe
Browse all global symbols functions data
Timestamp: Wed Apr 29 18:19:57 2020 (5EA954CD)
CheckSum: 05C0F4E9
ImageSize: 05D05000
File version: 10.0.0.35798
Product version: 10.0.0.35798
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0000.04b0
CompanyName: Foxit Software Inc.
ProductName: Foxit Reader
InternalName: Foxit Reader.exe
OriginalFilename: Foxit Reader.EXE
ProductVersion: 10.0.0.35798
FileVersion: 10.0.0.35798
PrivateBuild: 10.0.0.35798
SpecialBuild: 10.0.0.35798
FileDescription: Foxit Reader 10.0
LegalCopyright: Copyright © 2004-2020 Foxit Software Inc. All Rights Reserved.
LegalTrademarks: Copyright © 2004-2020 Foxit Software Inc. All Rights Reserved.
Comments: Copyright © 2004-2020 Foxit Software Inc. All Rights Reserved.
This bug was discovered back in 2020 and reported to Foxit Security team. The vulnerability has been fixed with the latest version. Greetz Yeh and Fakhrie for this bug :)