CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
97.9%
**Title:**Foxit Reader Multiple Vulnerabilities
**Advisory ID:**CORE-2009-0218
**Advisory URL:**www.coresecurity.com/core-labs/advisories/foxit-reader-vulnerabilities
**Date published:**2009-03-09
**Date of last update:**2009-03-09
**Vendors contacted:**Foxit Software
**Release mode:**Coordinated release
**Class:**Authorization bypass, Buffer overflow
**Remotely Exploitable:**Yes
**Locally Exploitable:**No
Bugtraq ID:34035
CVE Name:CVE-2009-0836, CVE-2009-0837
Foxit Reader is a lightweight, free PDF document viewer and printer. PDF files may include actions (i.e., Go to a page view
, Open/Execute a file
, Open a web link
, Execute a menu item
) associated with different triggers (i.e., Mouse Up
, Mouse Down
, Page Visible
, Page Invisible
). The way Foxit Reader handles an Open/Execute a file
action makes the software victim of two kinds of vulnerabilities: authorization bypass and buffer overflow.
The latest version 3.0 build 1506 of Foxit Reader has been released. Please download the latest version from <http://www.foxitsoftware.com/downloads/> and visit the Foxit security page for details at <http://www.foxitsoftware.com/pdf/reader/security.htm>.
These vulnerabilities were discovered and researched by Francisco FalcΓΒ³n from Core Security.
PDF files may include actions (i.e., Go to a page view
, Open/Execute a file
, Open a web link
, Execute a menu item
) associated with different triggers (i.e., Mouse Up
, Mouse Down
, Page Visible
, Page Invisible
). The way Foxit Reader handles an Open/Execute a file
action makes the software victim of two kinds of vulnerabilities.
The first one is an authorization bypass vulnerability (CVE-2009-0836). If an Open/Execute a file
action is defined in the PDF file, when the trigger condition is satisfied, Foxit Reader will open/execute the file defined by the creator of the PDF file without asking the user for confirmation. .
The second one is a stack-based buffer overflow (CVE-2009-0837). If an Open/Execute a file
action is defined in the PDF file with an overly long filename argument, when the trigger condition is satisfied it will cause a stack-based buffer overflow, because the application tries to copy the filename argument to a fixed-size buffer in the stack without properly checking that the buffer is large enough to hold the filename string.
If an Open/Execute a file
is defined in a PDF file, when the trigger condition is satisfied, Foxit Reader first determines if the filename argument has a relative path:
00403029 |> 50 PUSH EAX ; /Path 0040302A |. FF15 10278D00 CALL DWORD PTR DS:[<&SHLWAPI.PathIsRelativeA>] ; \PathIsRelativeA
If the PathIsRelativeA
API returns True, then Foxit Reader will append the path of the current PDF file at the beginning of the filename string. If the filename argument is large enough, it will cause a stack-based buffer overflow when the application tries to concatenate the path and the filename:
004030B2 |> 55 PUSH EBP ; /Arg5 004030B3 |. 50 PUSH EAX ; |Arg4 = filename with relative path 004030B4 |. 8D8424 600500>LEA EAX,DWORD PTR SS:[ESP+560] ; | 004030BB |. 8D8C24 200400>LEA ECX,DWORD PTR SS:[ESP+420] ; | 004030C2 |. 50 PUSH EAX ; |Arg3 = path of the current PDF file 004030C3 |. 55 PUSH EBP ; |Arg2 004030C4 |. 51 PUSH ECX ; |Arg1 = destination stack buffer 004030C5 |. E8 06ED0A00 CALL Foxit_Re.004B1DD0 ; \Foxit_Re.004B1DD0
Inside the function beginning at address 004B1DD0, the application first copies the path of the current PDF file to the buffer located in the stack:
004B1DED |> 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] ; ESI = destination stack buffer 004B1DF0 |> 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10] ; EDX = path of the current PDF file 004B1DF3 |. 85D2 TEST EDX,EDX 004B1DF5 |. 8BCA MOV ECX,EDX 004B1DF7 |. 74 28 JE SHORT Foxit_Re.004B1E21 004B1DF9 |. 8A02 MOV AL,BYTE PTR DS:[EDX] 004B1DFB |. 84C0 TEST AL,AL 004B1DFD |. 74 22 JE SHORT Foxit_Re.004B1E21 004B1DFF |> 8806 /MOV BYTE PTR DS:[ESI],AL ; copy path to stack buffer 004B1E01 |. 8A41 01 |MOV AL,BYTE PTR DS:[ECX+1] 004B1E04 |. 46 |INC ESI 004B1E05 |. 41 |INC ECX 004B1E06 |. 84C0 |TEST AL,AL 004B1E08 |.^ 75 F5 \JNZ SHORT Foxit_Re.004B1DFF
And after that, it appends the filename string:
004B1E1D |. C606 5C MOV BYTE PTR DS:[ESI],5C ; append a '\' at the end of the path 004B1E20 |. 46 INC ESI ; point to the next destination byte 004B1E21 |> 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14] ; EAX = filename with relative path 004B1E24 |. 85C0 TEST EAX,EAX 004B1E26 |. 8BC8 MOV ECX,EAX 004B1E28 |. 74 0F JE SHORT Foxit_Re.004B1E39 004B1E2A |. 8A00 MOV AL,BYTE PTR DS:[EAX] 004B1E2C |> 84C0 /TEST AL,AL 004B1E2E |. 74 09 |JE SHORT Foxit_Re.004B1E39 004B1E30 |. 8806 |MOV BYTE PTR DS:[ESI],AL ; copy filename to stack buffer 004B1E32 |. 8A41 01 |MOV AL,BYTE PTR DS:[ECX+1] 004B1E35 |. 46 |INC ESI 004B1E36 |. 41 |INC ECX 004B1E37 |.^ EB F3 \JMP SHORT Foxit_Re.004B1E2C
Otherwise, if the filename argument has an absolute path, Foxit Reader simply copies the filename to a buffer in the stack without checking its length:
004030FE |. 8BF7 MOV ESI,EDI ; ESI = source filename argument 00403100 |. 8BFA MOV EDI,EDX ; EDI = destination stack buffer 00403102 |. C1E9 02 SHR ECX,2 ; ECX = number of dwords to copy 00403105 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; BUFFER OVERFLOW
In both cases, with relative or absolute path, if the filename is large enough, it will cause a buffer overflow in the stack, making it possible for the attacker to overwrite return addresses and the Structured Exception Handler, allowing the execution of arbitrary code with the privileges of the current user.
Attackers may embed JavaScript code in the PDF file to spray the heap with their shellcode before triggering the buffer overflow vulnerability.
[1] Foxit Software Company <http://www.foxitsoftware.com/>
[2] File Names, Paths, and Namespaces <http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx>
[3] Simple Remote code execution in PDF still riding⦠<http://blog.zoller.lu/2009/03/remote-code-execution-in-pdf-still.html>
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: www.coresecurity.com/corelabs.
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The companyβs flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security on the web at www.coresecurity.com.
The contents of this advisory are copyright Β© 2009 Core Security Technologies and Β© 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.