Vulnerabilities > CVE-2017-10951 - OS Command Injection vulnerability in Foxitsoftware Foxit Reader 8.3.0.14878

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
foxitsoftware
CWE-78
nessus

Summary

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.0.14878. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within app.launchURL method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4724.

Vulnerable Configurations

Part Description Count
Application
Foxitsoftware
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Command Delimiters
    An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
  • Exploiting Multiple Input Interpretation Layers
    An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
  • Argument Injection
    An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
  • OS Command Injection
    In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

Nessus

  • NASL familyWindows
    NASL idFOXIT_PHANTOM_8_3_2.NASL
    descriptionAccording to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 8.3.2. It is, therefore, affected by multiple vulnerabilities: - A flaw exists in the app.launchURL() method allowing a context-dependent attacker to potentially execute arbitrary code. (CVE-2017-10951) - A flaw in the saveAs() JavaScript function that allows a context-dependent attacker to write to arbitrary files and potentially execute arbitrary code. (CVE-2017-10952) - A flaw that is triggered during the handling of the createDataObject() function calls that may allow an attacker to create arbitrary executable files on the local system. - A flaw exists that is triggered during the handling of xfa.host.gotoURL() function calls that may allow an attacker to execute arbitrary commands.
    last seen2020-04-30
    modified2017-08-31
    plugin id102858
    published2017-08-31
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102858
    titleFoxit PhantomPDF < 8.3.2 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102858);
      script_version("1.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27");
    
      script_cve_id(
        "CVE-2017-10951",
        "CVE-2017-10952"
      );
      script_bugtraq_id(
        100409,
        100412
      );
      script_xref(name:"ZDI", value:"ZDI-17-691");
      script_xref(name:"ZDI", value:"ZDI-17-692");
    
      script_name(english:"Foxit PhantomPDF < 8.3.2 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Foxit PhantomPDF.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A PDF toolkit installed on the remote Windows host is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description",  value:
    "According to its version, the Foxit PhantomPDF application (formally
    known as Phantom) installed on the remote Windows host is prior to
    8.3.2. It is, therefore, affected by multiple vulnerabilities:
    
      - A flaw exists in the app.launchURL() method allowing
        a context-dependent attacker to potentially execute
        arbitrary code. (CVE-2017-10951)
    
      - A flaw in the saveAs() JavaScript function that allows
        a context-dependent attacker to write to arbitrary
        files and potentially execute arbitrary code.
        (CVE-2017-10952)
    
      - A flaw that is triggered during the handling of the
        createDataObject() function calls that may allow an
        attacker to create arbitrary executable files on the
        local system. 
    
      - A flaw exists that is triggered during the handling of
        xfa.host.gotoURL() function calls that may allow an
        attacker to execute arbitrary commands.");
      script_set_attribute(attribute:"see_also", value:"https://www.foxitsoftware.com/support/security-bulletins.php");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-691/");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-692/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Foxit PhantomPDF version 8.3.2 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-10951");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/31");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:phantom");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:phantompdf");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("foxit_phantom_installed.nasl");
      script_require_keys("installed_sw/FoxitPhantomPDF");
    
      exit(0);
    }
    
    include('vcf.inc');
    
    app = 'FoxitPhantomPDF';
    
    app_info = vcf::get_app_info(app:app, win_local:TRUE);
    
    constraints = [{
      'min_version' : '8.0',
      'max_version' : '8.3.1.21155',
      'fixed_version' : '8.3.2'
      }];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familyWindows
    NASL idFOXIT_READER_8_3_2.NASL
    descriptionThe version of Foxit Reader installed on the remote Windows host is prior to 8.3.2. It is, therefore, affected by multiple vulnerabilities: - A flaw exists in the app.launchURL() method allowing a context-dependent attacker to potentially execute arbitrary code. (CVE-2017-10951) - A flaw in the saveAs() JavaScript function that allows a context-dependent attacker to write to arbitrary files and potentially execute arbitrary code. (CVE-2017-10952) - A flaw that is triggered during the handling of the createDataObject() function calls that may allow an attacker to create arbitrary executable files on the local system. - A flaw exists that is triggered during the handling of xfa.host.gotoURL() function calls that may allow an attacker to execute arbitrary commands.
    last seen2020-06-01
    modified2020-06-02
    plugin id102859
    published2017-08-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102859
    titleFoxit Reader < 8.3.2 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102859);
      script_version("1.9");
      script_cvs_date("Date: 2019/01/30 12:11:05");
    
      script_cve_id(
        "CVE-2017-10951",
        "CVE-2017-10952"
      );
      script_bugtraq_id(
        100409,
        100412
      );
      script_xref(name:"ZDI", value:"ZDI-17-691");
      script_xref(name:"ZDI", value:"ZDI-17-692");
    
      script_name(english:"Foxit Reader < 8.3.2 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Foxit Reader.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A PDF viewer installed on the remote Windows host is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description",  value:
    "The version of Foxit Reader installed on the remote Windows host is
    prior to 8.3.2. It is, therefore, affected by multiple
    vulnerabilities:
    
      - A flaw exists in the app.launchURL() method allowing
        a context-dependent attacker to potentially execute
        arbitrary code. (CVE-2017-10951)
    
      - A flaw in the saveAs() JavaScript function that allows
        a context-dependent attacker to write to arbitrary
        files and potentially execute arbitrary code.
        (CVE-2017-10952)
    
      - A flaw that is triggered during the handling of the
        createDataObject() function calls that may allow an
        attacker to create arbitrary executable files on the
        local system.
    
      - A flaw exists that is triggered during the handling of
        xfa.host.gotoURL() function calls that may allow an
        attacker to execute arbitrary commands.");
      script_set_attribute(attribute:"see_also", value:"https://www.foxitsoftware.com/support/security-bulletins.php");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-691/");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-692/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Foxit Reader version 8.3.2 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-10951");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/31");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:foxit_reader");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("foxit_reader_installed.nasl");
      script_require_keys("installed_sw/Foxit Reader");
    
      exit(0);
    }
    
    include('vcf.inc');
    
    app = 'Foxit Reader';
    
    app_info = vcf::get_app_info(app:app, win_local:TRUE);
    
    constraints = [{
      'min_version' : '8.0',
      'max_version' : '8.3.1.21155',
      'fixed_version' : '8.3.2'
      }];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    

Seebug

bulletinFamilyexploit
description### A tale about Foxit Reader - Safe Reading mode and other vulnerabilities Some days ago someone send me the following link, which describes two vulnerabilities in Foxit Reader: http://thehackernews.com/2017/08/two-critical-zero-day-flaws-disclosed.html These two vulnerabilities are similar to the behavior of Foxit Reader I presented at Appsec Belfast 2017. Unfortunately the recording was never published, so I decided it's time for a blog post to give some additional information about these vulnerabilities. First I have to describe the implemented security model in Foxit Reader. #### Safe-Reading mode Foxit Reader implements a one-line defense, the so-called "Safe-Reading mode". It is enabled by default. In case it is enabled it prohibits the execution of scripts and other features, which can harm the security of the end user. During my presentation I said, that this feature should never ever be disabled. In case a vulnerability requires a disabled "Safe-Reading mode", Foxit will mostly not patch it. This is true for the two "vulnerabilities" described in the link above. ##### Note: Apparently Foxit decided to provide a patch for the two vulnerabilities mentioned in the hackernews blog post. https://www.zerodayinitiative.com/blog/2017/8/17/busting-myths-in-foxit-reader Short quote extracted from the Foxit statement: "Foxit Software is deeply committed to delivering secure PDF products to its customers. Our track record is strong in responding quickly in fixing vulnerabilities [...]" So lets continue talking about my similar findings, one of which is still unfixed. #### Execute local file * Reported: 5.5.2017 to Foxit Security team * Security bulletin released: 4.7.2017 https://www.foxitsoftware.com/de/support/security-bulletins.php * Function call: xfa.host.gotoURL * Reality: Still Unfixed. Not protected by Safe-Reading mode! * Tested Foxit version: 8.3.1.21155 CVE-2017-10951 is abusing the app.launchURL JavaScript call to execute a local program, without any user interaction. I am using another function with a similar functionality called xfa.host.gotoURL. By reading the specification it can be seen that normally these functions accept a URL, which is opened in a new browser window. So far so simple. I assume CVE-2017-10951 used the same URL I did to execute a local program (I am not 100% sure as no exact details are public). Instead of passing a http/https URL to xfa.host.gotoURL I used the file:/// protocol handler. To execute cmd.exe. The following file:/// URL is enough: ``` xfa.host.gotoURL("file:///c:/windows/system32/cmd.exe"); ``` One difference between app.launchURL and xfa.host.gotoURL is this one: xfa.host.gotoURL is not protected by the safe reading mode or as I described in my email to the Foxit security team: The XFA standard defines the xfa.host.gotoURL function call, which should load an URL. I discovered that this function is not protected by the Trust Manager, nor does it check the specified protocol. The following example will open "cmd.exe" without any user interaction: ``` xfa.host.gotoURL("file:///C:/windows/system32/cmd.exe"); ``` I have no idea why Foxit did not patch my vulnerability but hopefully they do now! Note: This is not a full "Safe Reading Mode" bypass. This only works for this exact function call! Have fun with the PoC (it opens cmd.exe and calc.exe. When you close the PDF it will open explorer.exe): https://drive.google.com/open?id=0B2HQuxIrwJ53a1hNS2pSYTZzdU0 https://www.youtube.com/watch?v=CWu4OHwtzm8 #### File execution - limitations: 1) It is not possible to pass parameters to the executed program. Maybe it is possible via app.launchURL but the text/video does not contain any hint that this is the case. 2) When the file:/// protocol handler is pointing to an executable, which is stored on a SMB share, the Windows operating system will trigger a warning box asking the user for confirmation to execute the program. 3) In case the handler is pointing to a currently downloaded file (most likely via the web browser), Windows will once again ask the user for confirmation before the program is executed. Downloaded files contain a so-called "Zone Identifier". This identifier contains information about the source of the executable. In case a file is downloaded from a website like example.com, it will contain a Zone Identifier of 3. A ZI of 3 always triggers a warning dialog before the file is executed (note: there are some exceptions to this rule). I am aware of one possible way to bypass these restrictions but this will require another blog post ;) Drop a file to the local file system I reported my finding in 2016 via ZDI in combination with the safe-reading mode bypass: http://www.zerodayinitiative.com/advisories/ZDI-16-396/ Reality: Patched in combination with the Safe-Reading mode bypass in 2016. It is still working with disabled Safe-Reading mode (as intended I assume) Lets move on the next vulnerability described in the link above. Once again I used a different function call with the same functionality. I think you can see a pattern ^^. CVE-2017-10592 is using the this.saveAs function call to drop a file to the local file system. I always used the xfa.host.exportData function to achieve the same functionality. Both function accept a device independent path (the PDF way to define a local path, independent of the operating system) to store a file. As the file path is completely user controlled, the file extension can be chosen freely. In case of the saveAs function, the stored PDF file itself can be converted to other file types although I do not know if Foxit Reader actually supports this functionality. The xfa.host.exportData function call exports a XML structure. As it is either really difficult or even impossible to drop a valid executable (as the attacker has no full control of the content of the file), the easiest way to exploit this kind of vulnerability on the Windows operating system is dropping a HTML application (.hta). A HTML application behaves like a normal HTML file (eg. any characters, which are no valid HTML elements are happily ignored) but it has access to powerful JavaScript API calls, which allow to execute programs with parameters, local file access and more. All the attacker has to do is embedding a valid script tag inside the PDF structure and ensure that is stored in the created HTA file. By dropping this kind of file into the startup folder, the attacker just has to wait for the victim to restart his PC. In case the attacker does not want to wait for a restart, he can drop his malicious HTA file and use the before mentioned functionality to immediately execute it (the dropped file does not have a Zone Identifier). Proof-of-Concept (the PoC stores no real payload in the dropped file): 1. Open the PoC in Foxit Reader 2. Disable Safe Reading mode 3. Restart Foxit Reader 4. Open the PDF 5. Close it. A file called evilHTA.hta will be dropped on the desktop. PoC: https://drive.google.com/open?id=0B2HQuxIrwJ53cGxPUndCdWY3T28 In case you are wondering why the onclose event is used, I can tell you a near null exception crashes Foxit Reader. So this was a short introduction about Foxit Reader and why you should never disable the Safe Reading mode. But wait... is there a way to bypass the "Safe-Reading mode"? The following bypass is fixed but maybe it inspires someone to search for new bypasses :) #### [+] Fixed: Safe-Reading mode bypass When I started to play with Foxit Reader I did not read anything about the implemented security and instead just jumped right into it. I used different functions, which I know could introduce security problems until I tried xfa.host.exportData. Suddenly my file was dropped without any user interaction. My first reaction was: "WTF? This can't be real. There should be some security protection in place." So I started to research and discovered: I bypassed the safe-reading mode without even realizing it ^^ Basically what I used while researching was XFA. XFA is a XML structure defined in the PDF standard, which defines everything related to forms in PDF. It allows to define buttons, text boxes and more. Additionally, similar to HTML, you can react to events triggered for each element and the document itself. This allows you to specify JavaScript, which is executed as soon as the event is fired. A simplified example to understand the concept is provided by corkami: https://raw.githubusercontent.com/corkami/pocs/master/pdf/formevent_js.pdf In my case I reacted to the "initialized" event for my created button element. As you can possible guess, this event is fired every time the element is initialized and therefore it fires really early during the parsing of the PDF structure. And this was all needed to bypass the "Safe-Reading" mode. Apparently the event fired so early that the mode was not initialized or they forgot to apply it for this event too.
idSSV:96369
last seen2017-11-19
modified2017-08-22
published2017-08-22
reporterRoot
titleFoxit Reader command injection(CVE-2017-10951)and file writing Vulnerability(CVE-2017-10952)

The Hacker News

idTHN:CBCEED8BA05EE4923A1A19AB316C5227
last seen2018-01-27
modified2017-08-21
published2017-08-17
reporterWang Wei
sourcehttps://thehackernews.com/2017/08/two-critical-zero-day-flaws-disclosed.html
titleTwo Critical Zero-Day Flaws Disclosed in Foxit PDF Reader