The first vulnerability, CVE-2017-10951 is a command injection remote code execution vulnerability. This flaw is related to ‘app.launchURL‘ method. It doesn’t filter any file extensions and hence lead to launching of executable files. Also, it does not check arguments properly. It wont check whether or not the argument is an actual URL. In fact, it accepts full paths.
The second vulnerability, CVE-2017-10952 is Arbitrary File Write remote code execution vulnerability. This flaw is related to ‘saveAs‘ method. This API is supposed to be used to save the document (PDF file format) to certain paths. It does not properly check the path it is given to write to and it also does not check the file extension.
CVE 10951 Demonstration Video:
CVE 10952 Demonstration Video:
Thus an HTA file is saved into the Startup folder of the system as shown below.
The vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Foxit Reader. The attacker must entice a user to visit a malicious page or open a malicious file. And it can also lead to writing arbitrary files into attacker controlled locations.