• CoreLabs Research

• CoreLabs Overview

• Research Projects

• Advisories

• Publications
  • Presentations and Papers
  • Journals and Magazines
  • Internet Articles

• Open Source Projects

• CoreLabs Extranet Site

SHARE

1. Advisory Information

Title: Foxit Reader Multiple Vulnerabilities
Advisory ID: CORE-2009-0218
Advisory URL: http://www.coresecurity.com/content/foxit-reader-vulnerabilities
Date published: 2009-03-09
Date of last update: 2009-03-09
Vendors contacted: Foxit Software
Release mode: Coordinated release

2. Vulnerability Information

Class: Authorization bypass, Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 34035
CVE Name: CVE-2009-0836, CVE-2009-0837

3. Vulnerability Description

Foxit Reader is a lightweight, free PDF document viewer and printer. PDF files may include actions (i.e., Go to a page view, Open/Execute a file, Open a web link, Execute a menu item) associated with different triggers (i.e., Mouse Up, Mouse Down, Page Visible, Page Invisible). The way Foxit Reader handles an Open/Execute a file action makes the software victim of two kinds of vulnerabilities: authorization bypass and buffer overflow.

4. Vulnerable packages

• Foxit Reader 3.0 build 1120
• Foxit Reader 3.0 build 1301
• Older 3.0 builds are probably affected too, but they were not checked.

5. Non-vulnerable packages

• Foxit Reader 3.0 build 1506

6. Vendor Information, Solutions and Workarounds

The latest version 3.0 build 1506 of Foxit Reader has been released. Please download the latest version from http://www.foxitsoftware.com/downloads/ and visit the Foxit security page for details at http://www.foxitsoftware.com/pdf/reader/security.htm.

7. Credits

These vulnerabilities were discovered and researched by Francisco Falcón from Core Security Technologies.

8. Technical Description / Proof of Concept Code

PDF files may include actions (i.e., Go to a page view, Open/Execute a file, Open a web link, Execute a menu item) associated with different triggers (i.e., Mouse Up, Mouse Down, Page Visible, Page Invisible). The way Foxit Reader handles an Open/Execute a file action makes the software victim of two kinds of vulnerabilities.

The first one is an authorization bypass vulnerability (CVE-2009-0836). If an Open/Execute a file action is defined in the PDF file, when the trigger condition is satisfied, Foxit Reader will open/execute the file defined by the creator of the PDF file without asking the user for confirmation. A proof of concept PDF file is included [4].

The second one is a stack-based buffer overflow (CVE-2009-0837). If an Open/Execute a file action is defined in the PDF file with an overly long filename argument, when the trigger condition is satisfied it will cause a stack-based buffer overflow, because the application tries to copy the filename argument to a fixed-size buffer in the stack without properly checking that the buffer is large enough to hold the filename string. Proof of concept PDF file also included [5].

If an Open/Execute a file is defined in a PDF file, when the trigger condition is satisfied, Foxit Reader first determines if the filename argument has a relative path:

If the PathIsRelativeA API returns True, then Foxit Reader will append the path of the current PDF file at the beginning of the filename string. If the filename argument is large enough, it will cause a stack-based buffer overflow when the application tries to concatenate the path and the filename:

Inside the function beginning at address 004B1DD0, the application first copies the path of the current PDF file to the buffer located in the stack:

And after that, it appends the filename string:

Otherwise, if the filename argument has an absolute path, Foxit Reader simply copies the filename to a buffer in the stack without checking its length:

In both cases, with relative or absolute path, if the filename is large enough, it will cause a buffer overflow in the stack, making it possible for the attacker to overwrite return addresses and the Structured Exception Handler, allowing the execution of arbitrary code with the privileges of the current user.

Attackers may embed JavaScript code in the PDF file to spray the heap with their shellcode before triggering the buffer overflow vulnerability.

9. Report Timeline

• 2009-02-20: Core Security Technologies notifies the Foxit Reader team of the vulnerability.
• 2009-02-23: The Foxit Reader team asks Core for a technical description of the vulnerability.
• 2009-02-23: Technical details sent to Foxit Reader team by Core.
• 2009-02-25: Vendor confirms the bugs and patches: a prompt was added for local file execution and a length check for the buffer overflow. Vendor comments that the patches will be sent to Core for confirmation.
• 2009-02-25: Core acknowledges and says that the patches will be tested.
• 2009-02-27: Vendor sends a link to download the patched Foxit Reader.
• 2009-03-03: Vendor asks for any information regarding the patch confirmation.
• 2009-03-03: Core confirms the authorization bypass bug was fixed but the buffer overflow fix raise another, more difficult to exploit, issue related to a missing check of API HeapReAlloc returning a valid pointer or not.
• 2009-03-04: Vendor says that once they detect a memory reallocation failure, they will clear the buffer and make it empty.
• 2009-03-04: Core suggests that the proper thing to do is to enforce a maximum length limit on the filename argument, as explained on programming documentation [2].
• 2009-03-04: Vendor says that in the reallocation fail scenario, as the application is already running out of memory, there is no way to gracefully and reliably close the application.
• 2009-03-05: Core informs the vendor that the authorization bypass bug has been independently discovered by another security researcher and published on the Internet [3]. Also suggests to publish the patches and advisory on the planned schedule, March 9th, disregarding any delay due to the missing check in the patch including the call to HeapReAlloc.
• 2009-03-06: Vendor sends a new version and asks for fix.
• 2009-03-09: Vendor releases patches for this flaw to its customers.
• 2009-03-09: The advisory CORE-2009-0218 is published by Core and the vendor is notified that the buffer overflow patch works as expected.

10. References

[1] Foxit Software Company http://www.foxitsoftware.com/
[2] File Names, Paths, and Namespaces http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx
[3] Simple Remote code execution in PDF still riding.. http://blog.zoller.lu/2009/03/remote-code-execution-in-pdf-still.html
[4] Authorization bypass http://www.coresecurity.com/files/attachments/CORE-2009-0218-PoC-authorization-bypass.pdf
[5] Buffer overflow http://www.coresecurity.com/files/attachments/CORE-2009-0218-PoC-BOF.pdf

11. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.

12. About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

13. Disclaimer

The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.