Vulnerabilities > CVE-2009-0691 - Resource Management Errors vulnerability in Foxitsoftware Foxit Reader and Jpeg2000 Jbig2 Decoder Add-On

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
foxitsoftware
CWE-399
critical
nessus

Summary

The Foxit JPEG2000/JBIG2 Decoder add-on before 2.0.2009.616 for Foxit Reader 3.0 before Build 1817 does not properly handle a fatal error during decoding of a JPEG2000 (aka JPX) header, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted PDF file that triggers an invalid memory access.

Vulnerable Configurations

Part Description Count
Application
Foxitsoftware
2

Common Weakness Enumeration (CWE)

Nessus

NASL familyWindows
NASL idFOXIT_READER_JBIG_2_0_2009_616.NASL
descriptionThe Foxit Reader application installed on the remote Windows host includes an optional JPEG2000 / JBIG Decoder add-on that is prior to version 2.0.2009.616. It is, therefore affected by multiple vulnerabilities : - A out-of-bounds read error exists in the add-on due to improper handling of a negative value for the stream offset in a JPEG2000 (JPX) stream. An unauthenticated, remote attacker can exploit this, via a crafted PDF file, to cause a denial of service or to execute arbitrary code. (CVE-2009-0690) - A flaw exists in the add-on due to improper handling of an unspecified fatal error during the decoding of a JPEG2000 (JPX) header. An unauthenticated, remote attacker can exploit this, via a crafted PDF file, to cause a denial of service or to execute arbitrary code. (CVE-2009-0691)
last seen2020-06-01
modified2020-06-02
plugin id39481
published2009-06-22
reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/39481
titleFoxit Reader JPEG2000 / JBIG Decoder Add-On < 2.0.2009.616 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(39481);
  script_version("1.15");
  script_cvs_date("Date: 2018/07/11 17:09:26");

  script_cve_id("CVE-2009-0690", "CVE-2009-0691");
  script_bugtraq_id(35442, 35443);
  script_xref(name:"CERT", value:"251793");

  script_name(english:"Foxit Reader JPEG2000 / JBIG Decoder Add-On < 2.0.2009.616 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of Foxit Reader.");

  script_set_attribute(attribute:"synopsis", value:
"A PDF viewer installed on the remote host is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The Foxit Reader application installed on the remote Windows host
includes an optional JPEG2000 / JBIG Decoder add-on that is prior to
version 2.0.2009.616. It is, therefore affected by multiple
vulnerabilities :

  - A out-of-bounds read error exists in the add-on due to
    improper handling of a negative value for the stream
    offset in a JPEG2000 (JPX) stream. An unauthenticated,
    remote attacker can exploit this, via a crafted PDF
    file, to cause a denial of service or to execute
    arbitrary code. (CVE-2009-0690)

  - A flaw exists in the add-on due to improper handling of
    an unspecified fatal error during the decoding of a
    JPEG2000 (JPX) header. An unauthenticated, remote
    attacker can exploit this, via a crafted PDF file, to
    cause a denial of service or to execute arbitrary code.
    (CVE-2009-0691)");
  script_set_attribute(attribute:"see_also", value:"https://www.foxitsoftware.com/support/security-bulletins.php");
  script_set_attribute(attribute:"see_also", value:"https://www.foxitsoftware.com/company/press.php?id=124");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Foxit Reader version 3.0 Build 1817 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(189, 399);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/06/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/06/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/06/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:foxit_reader");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("foxit_reader_installed.nasl");
  script_require_keys("installed_sw/Foxit Reader");
  script_require_ports(139, 445);

  exit(0);
}

include("audit.inc");
include("install_func.inc");
include("misc_func.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_reg_query.inc");
include("smb_hotfixes_fcheck.inc");

app = "Foxit Reader";
install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);
path = install['path'];

file = "fxdecod1.dll";
fixed_version = "2.0.2009.616";

# some versions are flat, some store in the 'plugins' directory.
paths = make_list("", "plugins");
ver = NULL;

foreach plugin_path (paths)
{
  cur_path = path + "\" + plugin_path;
  version = hotfix_get_fversion(path:cur_path + "\" + file );
  if (version['error'] == HCF_OK)
  {
    ver = join(version['value'], sep:'.');
    path = cur_path;
    break;

  }
  else
    continue;
}

hotfix_check_fversion_end();

report = NULL;
if (ver)
{
  if (ver_compare(ver:ver, fix:fixed_version, strict:FALSE) < 0)
  {
  port = kb_smb_transport();

  report =
    '\n  Plugin path (fxdecod1.dll) : ' + path +
    '\n  Plugin version             : ' + ver +
    '\n  Fixed version              : ' + fixed_version +
    '\n';

  security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
  exit(0);
  }
}
else
  audit(AUDIT_INST_PATH_NOT_VULN, app, path);

Seebug

bulletinFamilyexploit
descriptionBugraq ID: 35443 CVE-2009-0691 CNCVE-20090691 Foxit Reader是一款设计用于PDF文件的应用程序。 Foxit Reader处理JPX (JPEG2000)流存在问题,远程攻击者可以利用漏洞以应用程序权限执行任意指令。 Foxit Reader默认不能解码JPEG2000数据,安装了JPEG2000 / JBIG Decoder add-on的Foxit Reader受此漏洞影响。通过诱使用户打开恶意DPF文件,攻击者可执行任意代码或使PDF查看器崩溃。 Foxit Foxit Reader 3.0.2009 1301 Foxit Foxit Reader 3.0 Build 1506 Foxit Foxit Reader 3.0 Foxit Foxit Reader 2.3 Build 3902 Foxit Foxit Reader 2.3 build 2923 Foxit Foxit Reader 2.3 build 2825 Foxit Foxit Reader 2.3 Foxit Foxit Reader 2.2 升级程序: Foxit Foxit Reader 2.3 build 2825 Foxit ImageDecoder_2.0.2009.616.fzip <a href="http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im" target="_blank" rel=external nofollow>http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im</a> ageDecoder_2.0.2009.616.fzip Foxit Foxit Reader 2.3 Foxit ImageDecoder_2.0.2009.616.fzip <a href="http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im" target="_blank" rel=external nofollow>http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im</a> ageDecoder_2.0.2009.616.fzip Foxit Foxit Reader 2.3 Build 3902 Foxit ImageDecoder_2.0.2009.616.fzip <a href="http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im" target="_blank" rel=external nofollow>http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im</a> ageDecoder_2.0.2009.616.fzip Foxit Foxit Reader 2.3 build 2923 Foxit ImageDecoder_2.0.2009.616.fzip <a href="http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im" target="_blank" rel=external nofollow>http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im</a> ageDecoder_2.0.2009.616.fzip Foxit Foxit Reader 2.2 Foxit ImageDecoder_2.0.2009.616.fzip <a href="http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im" target="_blank" rel=external nofollow>http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im</a> ageDecoder_2.0.2009.616.fzip Foxit Foxit Reader 3.0 Build 1506 Foxit ImageDecoder_2.0.2009.616.fzip <a href="http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im" target="_blank" rel=external nofollow>http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im</a> ageDecoder_2.0.2009.616.fzip Foxit Foxit Reader 3.0 Foxit ImageDecoder_2.0.2009.616.fzip <a href="http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im" target="_blank" rel=external nofollow>http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im</a> ageDecoder_2.0.2009.616.fzip Foxit Foxit Reader 3.0.2009 1301 Foxit ImageDecoder_2.0.2009.616.fzip <a href="http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im" target="_blank" rel=external nofollow>http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/addon/Im</a> ageDecoder_2.0.2009.616.fzip
idSSV:11687
last seen2017-11-19
modified2009-06-23
published2009-06-23
reporterRoot
titleFoxit Reader JPEG2000头解码内存破坏漏洞