Foxit reader is prone to two remote code execution zero day vulnerabilities, which are found by Steven Seeley (mr_me) and Ariele Caltabiano (kimiya). Both vulnerabilities are due to the lack of proper validation of user-supplied data, which can lead to writing arbitrary files into attacker controlled locations and also launching of any executable files. User interaction is required for the exploitation of these flaws. The attacker needs to send a specially crafted PDF file to a Foxit user and enticing them to open it. These flaws can be triggered through JavaScript APIs in Foxit Reader when Safe Reading Mode is disabled.

The first vulnerability, CVE-2017-10951 is a command injection remote code execution vulnerability. This flaw is related to ‘app.launchURL‘ method. It doesn’t filter any file extensions and hence lead to launching of executable files. Also, it does not check arguments properly. It wont check whether or not the argument is an actual URL. In fact, it accepts full paths.

The second vulnerability, CVE-2017-10952 is Arbitrary File Write remote code execution vulnerability. This flaw is related to ‘saveAs‘ method. This API is supposed to be used to save the document (PDF file format) to certain paths. It does not properly check the path it is given to write to and it also does not check the file extension.

 

CVE 10951 Demonstration Video:

The vulnerability in the ‘app.launchURL’ a method is exploited as shown below in the video. A javascript embedded document (10951.pdf) is opened in Foxit Reader application. The pdf contains a javascript action which calls app.launchURL method with the user supplied data. Here the attacker launches a calculator executable file (calc.exe).

Here the vulnerability is getting exploited exploited with a javascript action which calls app.launchURL configured on document open like:

pdfDocument.OnOpenDocument = new JavaScriptAction(“app.launchURL(\”calc.exe\”)”)

 

CVE 10952 Demonstration Video:

The vulnerability in the ‘this.saveAs’ a method is exploited as shown below in the video. Here an HTA file is embedded in the document(10952.pdf), then calling ‘saveAS ‘to write it to the startup folder. Then the  javascript embedded (10952.pdf) is opened in Foxit Reader application, which saves the HTA file(si.hta) into the startup folder.

This vulnerability can be exploited with a javascript action to call this.saveAs configured on document open like:

pdfDocument.OnOpenDocument = new JavaScriptAction(“this.saveAs(\”/c/Users/Rinu/AppData/Roaming/Microsoft/Windows/STARTM~1/Programs/Startup/si.hta\”);”);

Thus an  HTA file is saved into the Startup folder of the system as shown below.

 

Impact

The vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Foxit Reader. The attacker must entice a user to visit a malicious page or open a malicious file. And it can also lead to writing arbitrary files into attacker controlled locations.

Fix
An attacker has to bypass Safe Reading Mode to trigger the above-mentioned vulnerabilities. The vendor decided not to fix the vulnerabilities due to the fact that it preferred to rely on the software’s “Safe Reading” mode for protection. Foxit said: “Enabled by default to control the running of JavaScript, which can effectively guard against potential vulnerabilities from unauthorized JavaScript actions“. User’s of Foxit Reader should ensure they have safe reading mode enabled in their setup. And they can also deselect ‘Enable JavaScript Actions‘ from Foxit’s preferences menu.

SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.

Summary
Foxit  Critical RCE Vulnerabilities
Article Name
Foxit Critical RCE Vulnerabilities
Author
Publisher Name
SecPod Technologies
Publisher Logo
Loading Facebook Comments ...

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>