Talos Vulnerability Report

TALOS-2024-1989

Foxit Reader Updater improper certificate validation privilege escalation vulnerability

May 28, 2024
CVE Number

CVE-2024-29072

SUMMARY

A privilege escalation vulnerability exists in the Foxit Reader 2024.2.0.25138. The vulnerability occurs due to improper certification validation of the updater executable before executing it. A low privilege user can trigger the update action which can result in unexpected elevation of privilege.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit Reader 2024.2.0.25138

PRODUCT URLS

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

CVSSv3 SCORE

8.2 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-295 - Improper Certificate Validation

DETAILS

Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

Foxit PDF Reader is vulnerable to privilege escalation vulnerability when it performs an update. Foxit PDF Reader can be updated by clicking Help -> About Foxit PDF Reader -> Check For Update. When the Check For Update button is clicked, the following actions are performed internally:

  1. FoxitPDFReader.exe writes the FoxitPDFReaderUpdater.exe file in the %APPDAT%\Foxit Software\Continuous\Addon\Foxit PDF Reader folder. The FoxitPDFReader.exe process runs in the context of the USER.
  2. Next, FoxitPDFReaderUpdateService.exe calls CryptQueryObject on the FoxitPDFReaderUpdater.exe file to retrieve its certificate information. This call verifies whether FoxitPDFReaderUpdater.exe is signed or not. The FoxitPDFReaderUpdateService.exe process doesn’t validate the certificate after retrieving it. FoxitPDFReaderUpdateService.exe runs in the context of the SYSTEM.

      if ( !CryptQueryObject(
                 1u,
                 v40,
                 0x400u,
                 2u,
                 0,
                 &pdwMsgAndCertEncodingType,
                 &pdwContentType,
                 pdwFormatType,
                 &phCertStore,
                 &phMsg,
                 0) )
         {
           dank_write_to_log_lib(L"No signature information");
     LABEL_120:
           LOBYTE(v100) = 10;
           v55 = (char *)v81 - 16;
    
  3. If FoxitPDFReaderUpdater.exe is signed, FoxitPDFReaderUpdateService.exe calls CreateProcessAsUser to execute FoxitPDFReaderUpdater.exe in the context of SYSTEM.

         v57 = CreateProcessAsUserW(
                 phNewToken,
                 0,
                 (LPWSTR)v34,
                 0,
                 0,
                 0,
                 dwCreationFlags,
                 Environment,
                 0,
                 &StartupInfo,
                 &ProcessInformation);
         v77 = v57;
         GetLastError();
         if ( v57 && ProcessInformation.hProcess )
         {
           v58 = GetLastError();
           sub_B24560(L"Session0ShellExecute CreateProcessAsUser success,before wait GetLastError = %d", v58);
    

The default user has full control over the FoxitPDFReaderUpdater.exe file which can be verified using the icacls utility as follows:

icacls "C:\Users\dev\AppData\Roaming\Foxit Software\Continuous\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe"
C:\Users\dev\AppData\Roaming\Foxit Software\Continuous\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe NT AUTHORITY\SYSTEM:(I)(F)
                                                                                                    BUILTIN\Administrators:(I)(F)
                                                                                                    DESKTOP-JNJPO4R\dev:(I)(F)

It can be observed that an user DESKTOP-JNJPO4R\dev has full control over the file. This means the file can be deleted or created by a normal user.

Note that, the signature is not verified by the SYSTEM service before running the FoxitPDFReaderUpdater.exe executable, only that it has a signature. The signtool.exe utility, which comes with visual studio, can be used to sign an application. To pass the call to CryptQueryObject, a user-controlled application can be signed by it using a self-signed certificate. Once an executable is signed, this vulnerability can be exploited using the following steps:

  1. Set an oplock on %APPDAT%\Foxit Software\Continuous\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe.
  2. Click Check For Update. The FoxitPDFReader.exe process tries to over-write FoxitPDFReaderUpdater.exe but due to the oplock, it is forced to wait. This invoke oplock callback.
  3. In the oplock callback, it waits for the new FoxitPDFReaderUpdater.exe to be created. Once it is created, the exploit replace the original FoxitPDFReaderUpdater.exe with the user-controlled signed executable.
  4. FoxitPDFReaderUpdateService.exe calls CryptQueryObject on the user-controlled signed executable. The executable was signed so this call happens with a success.
  5. FoxitPDFReaderUpdateService.exe calls CreateProcessAsUser to execute the user-controlled signed executable.

The execution of the user-controlled signed executable constitutes privilege escalation as the execution is performed with SYSTEM privileges.

VENDOR RESPONSE

The vendor has released updated versions

TIMELINE

2024-05-13 - Vendor Disclosure
2024-05-26 - Vendor Patch Release
2024-05-28 - Public Release

Credit

Discovered by KPC of Cisco Talos.