Vulnerabilities > CVE-2011-3691 - Untrusted Search Path vulnerability in Foxitsoftware Foxit Reader

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

foxitsoftware

CWE-426

critical

nessus

NVD

Published: 2011-09-27

Updated: 2016-11-08

Summary

Untrusted search path vulnerability in Foxit Reader before 5.0.2.0718 allows local users to gain privileges via a Trojan horse dwmapi.dll, dwrite.dll, or msdrm.dll in the current working directory. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path'

Vulnerable Configurations

Part	Description	Count
Application	Foxitsoftware Foxitsoftware Foxit Reader 2.0 Foxitsoftware Foxit Reader 2.2 Foxitsoftware Foxit Reader 2.3 Foxitsoftware Foxit Reader 3.0 Foxitsoftware Foxit Reader 3.1 Foxitsoftware Foxit Reader 3.1.1 Foxitsoftware Foxit Reader 3.1.3 Foxitsoftware Foxit Reader 3.1.4 Foxitsoftware Foxit Reader 3.2 Foxitsoftware Foxit Reader 3.2.1 Foxitsoftware Foxit Reader 3.3.1 Foxitsoftware Foxit Reader 4.0 Foxitsoftware Foxit Reader 4.1.1 Foxitsoftware Foxit Reader 4.2 Foxitsoftware Foxit Reader 4.3 Foxitsoftware Foxit Reader 3.1.0.0111 Foxitsoftware Foxit Reader 3.1.2.1013 Foxitsoftware Foxit Reader 3.1.2.1030 Foxitsoftware Foxit Reader 3.2.0.0303 Foxitsoftware Foxit Reader 3.2.1.0401 Foxitsoftware Foxit Reader 3.3 Foxitsoftware Foxit Reader 4.0.0.0619 Foxitsoftware Foxit Reader 4.1 Foxitsoftware Foxit Reader 4.1.1.0805 Foxitsoftware Foxit Reader 4.3.1.0218 Foxitsoftware Foxit Reader 5.0	26

Common Weakness Enumeration (CWE)

CWE-426 - Untrusted Search Path

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging/Manipulating Configuration File Search Paths
This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.

Nessus

NASL family	Windows
NASL id	FOXIT_READER_5_0_2_0718.NASL
description	The version of Foxit Reader installed on the remote Windows host is prior to 5.0.2.0718. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in how dynamic-link library (DLL) files are located and loaded, specifically files dwmapi.dll, dwrite.dll, and msdrm.dll. The application uses a fixed path to search for these files, and the path can include directories that may not be trusted or under the user
last seen	2020-06-01
modified	2020-06-02
plugin id	55671
published	2011-07-25
reporter	This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/55671
title	Foxit Reader < 5.0.2.0718 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55671); script_version("1.13"); script_cvs_date("Date: 2019/01/02 11:18:37"); script_cve_id("CVE-2011-3691"); script_bugtraq_id(48836); script_xref(name:"EDB-ID", value:"11196"); script_name(english:"Foxit Reader < 5.0.2.0718 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Foxit Reader."); script_set_attribute(attribute:"synopsis", value: "A PDF viewer installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Foxit Reader installed on the remote Windows host is prior to 5.0.2.0718. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in how dynamic-link library (DLL) files are located and loaded, specifically files dwmapi.dll, dwrite.dll, and msdrm.dll. The application uses a fixed path to search for these files, and the path can include directories that may not be trusted or under the user's control. An attacker can exploit this issue, via a crafted Trojan horse DLL file injected into the search path, to execute arbitrary code with the privileges of the application or the user executing the application. (CVE-2011-3691) - A boundary error exists in the FoxitReaderOCX ActiveX control in the OpenFile() method due to improper sanitization of user-supplied input. An attacker can exploit this, via an overly long string passed to the 'strFilePath' parameter, to execute arbitrary code. "); script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/secunia_research/2011-55/"); # https://www.solutionary.com/threat-intelligence/vulnerability-disclosures/2011/07/foxit-reader-insecure-library-loading/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8ffc67b9"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2011/Jul/139"); script_set_attribute(attribute:"see_also", value:"https://www.foxitsoftware.com/support/security-bulletins.php"); script_set_attribute(attribute:"see_also", value:"https://www.foxitsoftware.com/company/press.php?id=224"); script_set_attribute(attribute:"solution", value: "Upgrade to Foxit Reader version 5.0.2.0718 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/07/21"); script_set_attribute(attribute:"patch_publication_date", value:"2011/07/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/25"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe",value:"cpe:/a:foxitsoftware:foxit_reader"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("foxit_reader_installed.nasl"); script_require_keys("installed_sw/Foxit Reader"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); app = "Foxit Reader"; install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE); version = install["version"]; path = install["path"]; report = NULL; fixed_version = "5.0.2.0718"; if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0) { port = get_kb_item("SMB/transport"); if (!port) port = 445; report = '\n Path : ' + path + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); exit(0); } else audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);

References

http://www.solutionary.com/index/SERT/Vuln-Disclosures/Foxit-Reader.html