Nafiez

Interested in x86 Reverse Engineering and Vulnerability Research.

Foxit PhantomPDF / Reader - safe_vsnprintf Out-of-Bound Write Vulnerability

09 Feb 2022 » security, oob, overflow

Overview

Foxit PDF Reader (formerly Foxit Reader) is a multilingual freemium PDF (Portable Document Format) tool that can create, view, edit, digitally sign, and print PDF files. Early versions of Foxit Reader were notable for startup performance and small file size. The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting, and drawing. Foxit PDF Reader also includes an Enterprise version, which requires a Foxit account.

Foxit PhantomPDF / Reader version 10.0.0.35798 vulnerable to out-of-bound write vulnerability. An exploitable vulnerability exists in the safe_vsnprintf function of FoxitReader.exe when parsing specially crafted PDF file that leads to a out-of-bounds write, resulting in direct code execution. This vulnerability was found via file format fuzzing. The vulnerability has been fixed by Foxit Security Team with the release version 10.1.

Vulnerability Analysis

An exploitable out-of-bounds write vulnerability exists due to an error in the safe_vsnprintf function when handling a maliciously crafted PDF file. A remote attacker may be able to exploit this to execute arbitrary code within the context of the application, via a crafted PDF file. A specially crafted PDF document can trigger an out-of-bounds write, which can disclose sensitive memory content or even write and aid in exploitation when coupled with another vulnerability. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

The issue has been confirmed to affect the Foxit PhantomPDF and Foxit Reader. We believe the earlier version affected too, but haven’t tested until this time. Following are the tested versions:

- Foxit PhantomPDF 10.0.0.35798
- Foxit Reader 10.0.0.35798

The OOB issue exists when handling /Domain attributes, with a special bytes that caused the exception: image

Following are the exception when failed to handle the specially crafted PDF document:

(371c.de4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe - 
eax=00000000 ebx=b0ca8f10 ecx=2c32902e edx=005eb1a8 esi=2c32a3c4 edi=005f0000
eip=02adcd81 esp=005eb0e0 ebp=005eb0f0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
FoxitReader!safe_vsnprintf+0x3f3051:
02adcd81 f3ab            rep stos dword ptr es:[edi]

Analysing the last crash path found that the OOB happened when it attempted to perform write in memory by leveraging the function safe_vsnprintf. This function basically failed to perform some checks that allowed it to write outside the memory range. This can be observe:

0:000> .exr -1
ExceptionAddress: 02adcd81 (FoxitReader!safe_vsnprintf+0x003f3051)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 005f0000
Attempt to write to address 005f0000

0:000> dc 005f0000
005f0000  78746341 00000020 00000001 0000331c  Actx ........3..
005f0010  000000dc 00000000 00000020 00000000  ........ .......
005f0020  00000014 00000001 00000007 00000034  ............4...

The root cause of the issue is when creating a memory device context (DC) compatible with the specified device. Then it tries to retrieve the bits of the specified compatible bitmap and copies them into a buffer as a DIB using the specified format. The initial root cause:

image

Then it performed a memory set and called the function call_to_check. This function is responsible for the memory set and when the writes are written out of the bound, it triggers a crash. Crash path:

image

Exploitable result:

0:000> !exploitable -v

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xd00000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0xd38b80f4.0x11c44483

 Hash Usage : Stack Trace:
Major+Minor : FoxitReader!safe_vsnprintf+0x3f3051
Major+Minor : FoxitReader!safe_vsnprintf+0x1e6c63
Instruction Address: 0x0000000002adcd81

Description: Exception Handler Chain Corrupted
Short Description: ExceptionHandlerCorrupted
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at FoxitReader!safe_vsnprintf+0x00000000003f3051 (Hash=0xd38b80f4.0x11c44483)

Corruption of the exception handler chain is considered exploitable

Crash analysis:

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_EXPLOITABLE_AVRF

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE_EXPLOITABLE_AVRF

PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

LAST_CONTROL_TRANSFER:  from 028d0993 to 02adcd81

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
00cfb600 028d0993 00cfb6b4 00000000 b0ca8f14 FoxitReader!safe_vsnprintf+0x3f3051
00cfbb10 00000000 00000000 00000000 00000000 FoxitReader!safe_vsnprintf+0x1e6c63
---------

0:000> lmvm FoxitReader
Browse full module list
start    end        module name
00f70000 06c75000   FoxitReader   (export symbols)       C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe
    Loaded symbol image file: C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe
    Image path: C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe
    Image name: FoxitReader.exe
    Browse all global symbols  functions  data
    Timestamp:        Wed Apr 29 18:19:57 2020 (5EA954CD)
    CheckSum:         05C0F4E9
    ImageSize:        05D05000
    File version:     10.0.0.35798
    Product version:  10.0.0.35798
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0000.04b0
    CompanyName:      Foxit Software Inc.
    ProductName:      Foxit Reader
    InternalName:     Foxit Reader.exe
    OriginalFilename: Foxit Reader.EXE
    ProductVersion:   10.0.0.35798
    FileVersion:      10.0.0.35798
    PrivateBuild:     10.0.0.35798
    SpecialBuild:     10.0.0.35798
    FileDescription:  Foxit Reader 10.0
    LegalCopyright:   Copyright © 2004-2020 Foxit Software Inc. All Rights Reserved. 
    LegalTrademarks:  Copyright © 2004-2020 Foxit Software Inc. All Rights Reserved. 
    Comments:         Copyright © 2004-2020 Foxit Software Inc. All Rights Reserved. 

This bug was discovered back in 2020 and reported to Foxit Security team. The vulnerability has been fixed with the latest version. Greetz Yeh and Fakhrie for this bug :)