Vulnerabilities > CVE-2016-8334 - Out-of-bounds Read vulnerability in Foxitsoftware Reader 8.0.2.805

047910
CVSS 3.3 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
local
low complexity
foxitsoftware
CWE-125

Summary

A large out-of-bounds read on the heap vulnerability in Foxit PDF Reader can potentially be abused for information disclosure. Combined with another vulnerability, it can be used to leak heap memory layout and in bypassing ASLR.

Vulnerable Configurations

Part Description Count
Application
Foxitsoftware
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Seebug

bulletinFamilyexploit
description### Summary A large out of bounds read on the heap vulnerability in Foxit PDF Reader can potentially be abused for information disclosure. Combined with another vulnerability, it can be used to leak heap memory layout and in bypassing ASLR. ### Tested Versions Foxit Software Foxit Reader 8.0.2.805 ### Product URLs https://www.foxitsoftware.com/products/pdf-reader/ ### CVSSv3 Score 7.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H ### Details A wrongly bounded call to `memcpy` while parsing JBIG2 segments contained in a PDF file can be triggered in the Foxit PDF Reader that would cause an out of bounds heap `memory` to be read into a buffer. The destination buffer of the memcpy call is properly sized, but the source is smaller than the size argument, causing the adjacent memory to be copied into a buffer that is further controlled. This will cause heap data including metadata, addresses and pointers to be copied into a buffer which is later reused, disclosing memory layout which can lead to an ASLR bypass. The vulnerability is present in the code responsible for parsing symbol dictionary segments. A sample JBIG2 file which is enough to trigger the vulnerability is as follows: ``` 00 00 00 02 segment number (2) 00 segment type (symbol dictionary) 00 refered-to segments (none) 00 refered-to page ( 0) 00 00 00 09 data size (9 bytes) 0A 00 00 00 00 00 00 00 00 data 00 00 00 03 segment number (3) 00 segment type (symbol dictionary) 20 refered-to segments (0010 0000, 3 MSB bits are count, meaning 1 refered-to segment) 02 id of the refered-to segment (2) 00 refered-to page (0) 00 00 00 11 data size (17 bytes) 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ``` In the above listing, we have broken down two JBIG2 segments. Both are of type `symbol dictionary`. Important thing to note is that the second segment refers to the first one. Segment data in the first segment is further broken down as follows: ``` 0A00 - SDTEMPLATE == 10 , bitmap coding context retained = 1 , bitmap coding context used = 0 ``` Segment data in the second segment is: ``` 01 00 -- bitmap coding context retained = 0, bitmap coding context used = 1 ``` Rest of the bytes in both segments can be ignored for now. The vulnerability itself if present in the function at 00979119 (image load base 0x00400000) which is parsing the details of symbol dictionary type segments. The paths in that function while parsing each segment diverge at the following location: ``` .text:0097957E .text:0097957E loc_97957E: .text:0097957E test [ebp+var_40], 100h [1] .text:00979585 jz loc_97965D ``` At [1] in the above disassembly, a single (8th) bit in segment data is tested. 8th bit signifies if “bitmap coding context” is used. In the case of the first segment it isn’t set. The path continues in the function until it reaches the following interesting block: ``` .text:00979663 mov al, [edi+2Ch] [2] .text:00979666 test al, al .text:00979668 jnz short loc_979671 ``` In the above disassembly, a single byte is tested and it decides which of the following blocks is executed: ``` .text:0097966A mov ebx, 10000h .text:0097966F jmp short loc_979685 ``` Above block sets the value of `ebx` to 65536. ``` .text:00979671 .text:00979671 loc_979671: .text:00979671 xor ebx, ebx .text:00979673 cmp al, 1 .text:00979675 setnz bl .text:00979678 dec ebx .text:00979679 and ebx, 1C00h .text:0097967F add ebx ``` In the second branch , listing above, the value of ebx ends up being 0x400. Both of these are followed by an allocation which is sized by value in `ebx` times 8. ``` .text:00979685 loc_979685: .text:00979685 mov ecx, [esi] .text:00979687 mov eax, [ecx] .text:00979689 push ebx .text:0097968A push 8 .text:0097968C call dword ptr [eax+4] ``` The byte being tested to decide which path to take (allocating 80x10000 or 80x400) depends on the bits 12 and 11 of the data segment header which is extracted by the following code: ``` .text:009791AF mov edx, ebx [1] .text:009791B1 mov al, bl .text:009791B3 shr edx, 0Ah [2] .text:009791B6 shr al, 6 .text:009791B9 shr bl, 7 .text:009791BC and ecx, 1 .text:009791BF and dl, 3 [3] .text:009791C2 and al, 1 .text:009791C4 and bl, 1 .text:009791C7 mov [edi+4], ecx .text:009791CA mov [edi+2Ch], dl [4] ``` In the above disassembly, at [1] the start of the data segment is copied into edx. At [2] first 10 bits are discarded and at [3], only first two of the remaining 6 are left and then saved at `edi+2ch` at [4]. These two bits represent the SDTEMPLATE value. As the SDTEMPLATE value is 0b10 in the first segment, the second branch is taken prior to the allocation, meaning the allocated buffer will be `8*0x400 == 0x2000` bytes long. This can be observed in the following debugging session: ``` Breakpoint 0 hit eax=00000000 ebx=00120a00 ecx=00000a00 edx=00000000 esi=10cfefa0 edi=13440fc0 eip=009791af esp=0012f5d8 ebp=0012f62c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 FoxitReader_Lib_Full+0x5791af: 009791af 8bd3 mov edx,ebx [1] 0:000> g Breakpoint 1 hit eax=00000000 ebx=00120a00 ecx=00000000 edx=00000402 esi=10cfefa0 edi=13440fc0 eip=009791ca esp=0012f5d8 ebp=0012f62c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 FoxitReader_Lib_Full+0x5791ca: 009791ca 88572c mov byte ptr [edi+2Ch],dl ds:0023:13440fec=00 [2] 0:000> g Breakpoint 2 hit eax=00000000 ebx=13258fd0 ecx=128ccfe8 edx=00000000 esi=10cfefa0 edi=13440fc0 eip=0097957e esp=0012f5d8 ebp=0012f62c iopl=0 nv up ei ng nz ac pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200297 FoxitReader_Lib_Full+0x57957e: 0097957e f745c000010000 test dword ptr [ebp-40h],100h ss:0023:0012f5ec=00120a00 0:000> dd ebp-0x40 0012f5ec 00120a00 00000000 00000002 00000000 [3] 0012f5fc 00000000 00000000 00000000 00000000 0012f60c 00000000 00000000 00000000 00000000 0012f61c 00000000 0012f650 01b599ce ffffffff 0012f62c 0012f65c 0097b206 13258fd0 1333cf98 0012f63c 5c1896a6 00000000 10cfefa0 00000000 0012f64c 10cfefa0 0012f698 01b59b34 ffffffff 0012f65c 0012f670 0097b47c 13258fd0 1333cf98 0:000> g Breakpoint 3 hit eax=00000000 ebx=13258fd0 ecx=128ccfe8 edx=00000000 esi=10cfefa0 edi=13440fc0 eip=00979663 esp=0012f5d8 ebp=0012f62c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 FoxitReader_Lib_Full+0x579663: 00979663 8a472c mov al,byte ptr [edi+2Ch] ds:0023:13440fec=02 0:000> t eax=00000002 ebx=13258fd0 ecx=128ccfe8 edx=00000000 esi=10cfefa0 edi=13440fc0 eip=00979666 esp=0012f5d8 ebp=0012f62c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 FoxitReader_Lib_Full+0x579666: 00979666 84c0 test al,al [4] 0:000> t eax=00000002 ebx=13258fd0 ecx=128ccfe8 edx=00000000 esi=10cfefa0 edi=13440fc0 eip=00979668 esp=0012f5d8 ebp=0012f62c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 FoxitReader_Lib_Full+0x579668: 00979668 7507 jne FoxitReader_Lib_Full+0x579671 (00979671) [br=1] 0:000> g Breakpoint 4 hit eax=01e50ad4 ebx=00000400 ecx=07252ffc edx=00000000 esi=10cfefa0 edi=13440fc0 eip=0097968c esp=0012f5d0 ebp=0012f62c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206 FoxitReader_Lib_Full+0x57968c: 0097968c ff5004 call dword ptr [eax+4] ds:0023:01e50ad8=009330cd 0:000> dd esp [5] 0012f5d0 00000008 00000400 5c1896d6 00000000 0012f5e0 10cfefa0 00000000 10cfefa0 00120a00 0012f5f0 00000000 00000002 00000000 00000000 0012f600 00000000 00000000 00000000 00000000 0012f610 00000000 00000000 00000000 00000000 0012f620 0012f650 01b599ce ffffffff 0012f65c 0012f630 0097b206 13258fd0 1333cf98 5c1896a6 0012f640 00000000 10cfefa0 00000000 10cfefa0 0:000> p eax=13279000 ebx=00000400 ecx=00002000 edx=00000000 esi=10cfefa0 edi=13440fc0 eip=0097968f esp=0012f5d8 ebp=0012f62c iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212 FoxitReader_Lib_Full+0x57968f: 0097968f 8bcb mov ecx,ebx [6] ``` In the above windbg session, it can be observed that at [1], two bytes from ebx correspond to begining of segment data from the first segment. At [2], we can see that the saved bits are 0b10, corresponding to the SDTEMPLATE value. At [3] is the point where the paths for the two segments diverge, the segment data header doesn’t have “bitmap coding context used” bit set and then proceeds to the [4] where previously extracted SDTEMPLATE value is being tested. It’s not 0, so we get to [5] where a memory allocation function is called with 8 and 0x400 as parameters. THe returned value at [6] is in `eax` and is `0x13279000`. Next, the process continues to parse the second segment. A different path takes it to a slightly different part of the code. Because in the second segment, the “bitmap coding context used” bit it set, we land at the same test as before, but in a different location: ``` .text:009795A9 mov al, [edi+2Ch] .text:009795AC test al, al .text:009795AE jnz short loc_9795E3 ``` Again, the value of SDTEMPLATE is compared, but this time it will be 0, taking the following branch: ``` .text:009795B0 mov ebx, 10000h .text:009795B5 jmp short loc_9795F7 ``` Here we see the value in `ebx` being set to 0x10000 (the other branch sets it to 0x400 again) and it is subsequently used as a size argument to `memcpy`: ``` .text:009795F7 .text:009795F7 loc_9795F7: .text:009795F7 mov ecx, [esi] .text:009795F9 mov eax, [ecx] .text:009795FB push ebx .text:009795FC push 8 .text:009795FE call dword ptr [eax+4] ; .text:00979601 mov ecx, ebx .text:00979603 shl ecx, 3 .text:00979606 push ecx .text:00979607 mov ecx, [ebp+var_3C] .text:0097960A mov ecx, [ecx+2Ch] .text:0097960D push dword ptr [ecx+10h] .text:00979610 mov [ebp+var_1C], eax .text:00979613 push eax .text:00979614 call memcpy .text:00979619 add esp, 0Ch ``` If we observe the execution in the debugger, it can be seen ``` eax=11800000 ebx=00010000 ecx=11d14fe8 edx=00000000 esi=121a8fa0 edi=12c60fc0 eip=00979614 esp=0012f5cc ebp=0012f62c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206 FoxitReader_Lib_Full+0x579614: 00979614 e844d51000 call FoxitReader_Lib_Full+0x686b5d (00a86b5d) 0:000> dd esp 0012f5cc 11800000 13279000 00080000 fda93eb8 0012f5dc 00000014 121a8fa0 00000000 121a8fa0 0012f5ec 00000100 126b8fd0 121acffc 00000000 0012f5fc 00000000 00000000 00000000 00000000 0012f60c 00000000 11800000 00000000 00000001 0012f61c 00000000 0012f650 01b599ce ffffffff 0012f62c 0012f65c 0097b206 11fe4fd0 131caf98 0012f63c fda93ec8 00000014 121a8fa0 00000000 ``` In the above windbg excerpt it can be seen that the memcpy call has the destination pointer at 0x11800000 , source pointer at 0x13279000 (which is our previously allocated buffer), and size of 0x80000. ``` 0:000> !heap -p -a 11800000 address 11800000 found in _DPH_HEAP_ROOT @ 6201000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 11fa2c64: 11800000 80000 - 117ff000 82000 11248e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77f8628e ntdll!RtlDebugAllocateHeap+0x00000030 77f4a6cb ntdll!RtlpAllocateHeap+0x000000c4 77f15d20 ntdll!RtlAllocateHeap+0x0000023a 0086a24a FoxitReader_Lib_Full+0x0046a24a ``` In the above, we can see that the destination is propperly sized for a 0x80000 `memcpy`. ``` 0:000> !heap -p -a 13279000 address 13279000 found in _DPH_HEAP_ROOT @ 6201000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 128a0e04: 13279000 2000 - 13278000 4000 11248e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77f8628e ntdll!RtlDebugAllocateHeap+0x00000030 77f4a6cb ntdll!RtlpAllocateHeap+0x000000c4 77f15d20 ntdll!RtlAllocateHeap+0x0000023a ``` The source, on the other hand, is not, leading to a large out of bounds heap read and eventually a crash: ``` 0:000> g (1aa0.1b64): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=11800000 ebx=00000000 ecx=1327b000 edx=11802000 esi=0001f800 edi=00080000 eip=00a86b8a esp=0012f5b8 ebp=0012f5c4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 FoxitReader_Lib_Full+0x686b8a: 00a86b8a 8b19 mov ebx,dword ptr [ecx] ds:0023:1327b000=???????? ``` The application crashes due to an out of bounds read attempt at the guard page because Page Heap is enabled. When it’s not, and there other objects allocated on the heap past the source buffer, a memcpy could succeed potentially disclosing sensitive information. In order to trigger the vulnerability, a couple of conditions need to be met. First, there needs to exist a symbol dictionary segment which refers to another symbol dictionary segment. The referred-to segment needs to have SDTEMPLATE value other than 0, and must have “bitmap coding context used” unset, wheres the referee segment, must have SDTEMPLATE as 0, and “bitmap coding context used” set. ### Crash Information ``` 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: FoxitReader_Lib_Full+686b8a 00a86b8a 8b19 mov ebx,dword ptr [ecx] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00a86b8a (FoxitReader_Lib_Full+0x00686b8a) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 1327b000 Attempt to read from address 1327b000 CONTEXT: 00000000 -- (.cxr 0x0;r) eax=11800000 ebx=00000000 ecx=1327b000 edx=11802000 esi=0001f800 edi=00080000 eip=00a86b8a esp=0012f5b8 ebp=0012f5c4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 FoxitReader_Lib_Full+0x686b8a: 00a86b8a 8b19 mov ebx,dword ptr [ecx] ds:0023:1327b000=???????? FAULTING_THREAD: 00001b64 PROCESS_NAME: FoxitReader_Lib_Full.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 1327b000 READ_ADDRESS: 1327b000 FOLLOWUP_IP: FoxitReader_Lib_Full+686b8a 00a86b8a 8b19 mov ebx,dword ptr [ecx] NTGLOBALFLAG: 2000000 APPLICATION_VERIFIER_FLAGS: 0 APP: foxitreader_lib_full.exe ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) x86fre BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_BEFORE_WRITE PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_BEFORE_WRITE DEFAULT_BUCKET_ID: INVALID_POINTER_READ_BEFORE_WRITE LAST_CONTROL_TRANSFER: from 00979619 to 00a86b8a STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0012f5c4 00979619 11800000 13279000 00080000 FoxitReader_Lib_Full+0x686b8a 0012f62c 0097b206 11fe4fd0 131caf98 fda93ec8 FoxitReader_Lib_Full+0x579619 0012f65c 0097b47c 11fe4fd0 131caf98 121a8fa0 FoxitReader_Lib_Full+0x57b206 0012f670 0097b51c 11fe4fd0 131caf98 fda93e30 FoxitReader_Lib_Full+0x57b47c 0012f6a4 0097b87b 131caf98 00000001 121a8fa0 FoxitReader_Lib_Full+0x57b51c 0012f6b8 0097bb0c 131caf98 fda93e78 00059088 FoxitReader_Lib_Full+0x57b87b 0012f6ec 00940b79 117a4f70 00000598 000007ea FoxitReader_Lib_Full+0x57bb0c 0012f718 008d404a 08672fc8 00000598 000007ea FoxitReader_Lib_Full+0x540b79 0012f77c 008d6ba8 131caf98 00000001 12c8afc0 FoxitReader_Lib_Full+0x4d404a 0012f79c 008d2b26 131caf98 10beefc8 0012f7c0 FoxitReader_Lib_Full+0x4d6ba8 0012f7ac 008d2d90 131caf98 00000001 12295fe8 FoxitReader_Lib_Full+0x4d2b26 0012f7c0 008d722a 131caf98 00000001 121bef80 FoxitReader_Lib_Full+0x4d2d90 0012f7d4 008d72bc 131caf98 0012f7fc 008fd121 FoxitReader_Lib_Full+0x4d722a 0012f7e0 008fd121 12295fe8 131caf98 13570fb0 FoxitReader_Lib_Full+0x4d72bc 0012f7fc 008ba42f 131caf98 13570fb0 00000000 FoxitReader_Lib_Full+0x4fd121 0012f814 008ba666 0012f800 132befe4 131caf98 FoxitReader_Lib_Full+0x4ba42f 0012f878 008ba8d2 131caf98 12058fd8 0012f9bc FoxitReader_Lib_Full+0x4ba666 0012f888 00db45d7 126b6fb0 10dcafc8 12f9efd8 FoxitReader_Lib_Full+0x4ba8d2 0012f9bc 00db4cb1 0ad9cfd0 00000008 fffff9df FoxitReader_Lib_Full+0x9b45d7 0012f9f4 00db5100 0ad9cfd0 131cafb0 0012fa20 FoxitReader_Lib_Full+0x9b4cb1 0012fa04 00db51fb 0ad9cfd0 12f9cf60 0ad9cfd0 FoxitReader_Lib_Full+0x9b5100 0012fa20 00db52c5 0ad9cfd0 0000073c 12f9cf60 FoxitReader_Lib_Full+0x9b51fb 0012fa34 00db567c 0ad9cfd0 12f9cf60 00db594f FoxitReader_Lib_Full+0x9b52c5 0012fa78 00db59e1 ef011cb7 0012fba4 005e6b0a FoxitReader_Lib_Full+0x9b567c 0012fa84 005e6b0a 00000001 fda93330 135b2d00 FoxitReader_Lib_Full+0x9b59e1 0012fba4 006cbec8 fda934c0 0000000f 135b2d00 FoxitReader_Lib_Full+0x1e6b0a 0012fc54 006c627e 0000000f 00000000 0225ec28 FoxitReader_Lib_Full+0x2cbec8 0012fc74 006ca23f 0000000f 00000000 00000000 FoxitReader_Lib_Full+0x2c627e 0012fce8 006ca2ce 135b2d00 00770e02 0000000f FoxitReader_Lib_Full+0x2ca23f 0012fd08 77d2c4e7 00770e02 0000000f 00000000 FoxitReader_Lib_Full+0x2ca2ce 0012fd34 77d25f9f 006ca298 00770e02 0000000f USER32!InternalCallWinProc+0x23 0012fdac 77d24f0e 04372ed4 006ca298 00770e02 USER32!UserCallWinProcCheckWow+0xe0 0012fe08 77d24f7d 04e82058 0000000f 00000000 USER32!DispatchClientMessage+0xda 0012fe30 77f0702e 0012fe48 00000018 0012fe94 USER32!__fnDWORD+0x24 0012fe5c 77d25d0c 77d25d33 05ed7ec8 fda4a0c4 ntdll!KiUserCallbackDispatcher+0x2e 0012fe60 77d25d33 05ed7ec8 fda4a0c4 05ed7ec8 USER32!NtUserDispatchMessage+0xc 0012fea4 77d2cc70 006ca298 00000000 0012fee4 USER32!DispatchMessageWorker+0x3d5 0012feb4 006c42ff 05ed7ec8 00000000 028a7bf0 USER32!DispatchMessageW+0xf 0012fee4 0199fb8e 00000000 00000000 7ffd7000 FoxitReader_Lib_Full+0x2c42ff 0012fef8 008656a9 00400000 00000000 0016aeb2 FoxitReader_Lib_Full!CryptUIWizExport+0x9384ce 0012ff88 77e2ee6c 7ffd7000 0012ffd4 77f23a03 FoxitReader_Lib_Full+0x4656a9 0012ff94 77f23a03 7ffd7000 595101e2 00000000 kernel32!BaseThreadInitThunk+0xe 0012ffd4 77f239d6 008656fc 7ffd7000 00000000 ntdll!__RtlUserThreadStart+0x70 0012ffec 00000000 008656fc 7ffd7000 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: .cxr 0x0 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: foxitreader_lib_full+686b8a FOLLOWUP_NAME: MachineOwner MODULE_NAME: FoxitReader_Lib_Full IMAGE_NAME: FoxitReader.exe DEBUG_FLR_IMAGE_TIMESTAMP: 57a46fe3 FAILURE_BUCKET_ID: INVALID_POINTER_READ_BEFORE_WRITE_c0000005_FoxitReader.exe!Unknown BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_BEFORE_WRITE_foxitreader_lib_full+686b8a ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_read_before_write_c0000005_foxitreader.exe!unknown FAILURE_ID_HASH: {7d4ef754-f163-6f8a-daac-cd49c3177d6b} Followup: MachineOwner --------- ``` ### Timeline * 2016-09-06 - Vendor Disclosure * 2016-10-18 - Public Release
idSSV:96669
last seen2017-11-19
modified2017-10-12
published2017-10-12
reporterRoot
titleFoxit PDF Reader JBIG2 Parser Information Disclosure Vulnerability(CVE-2016-8334)

Talos

idTALOS-2016-0201
last seen2019-05-29
published2016-10-18
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0201
titleFoxit PDF Reader JBIG2 Parser Information Disclosure Vulnerability