Sense of Security – Security Advisory – SOS-11-008
| Release Date. | 06-Jun-2011 |
| Last Update. | – |
| Vendor Notification Date. | 18-Apr-2011 |
| Product. | Foxit Reader |
| Platform. | Windows |
| Affected versions. | 4.3.1.0218 verified and possibly others. |
| Severity Rating. | Low |
| Impact. | Denial of Service |
| Potentially code execution | |
| Attack Vector. | Local System |
| Solution Status. | Upgrade to 5 (as advised by Foxit) |
| CVE reference. | – |
Details.
Foxit Reader is a popular freeware PDF viewer. Version
4.3.1.0218 of the applicaion is vulnerable to multiple memory
corruption vulnerabilities that could potentially lead to
code execution.
The details are as below:
– 1.pdf (offset 3294)
Foxit Reader access violates when attempting to read the address
0x00000000 (ESI).
004EE0FD |. 3C FE CMP AL,0FE
004EE0FF |. 75 06 JNZ SHORT Foxit_Re.004EE107
004EE101 |. 807E 01 FF CMP BYTE PTR DS:[ESI+1],0FF
004EE105 |. 74 14 JE SHORT Foxit_Re.004EE11B
004EE107 |> 8A06 MOV AL,BYTE PTR DS:[ESI] <– Crash
004EE109 |. 3C FF CMP AL,0FF
004EE10B |. 0F85 9C000000 JNZ Foxit_Re.004EE1AD
004EE111 |. 807E 01 FE CMP BYTE PTR DS:[ESI+1],0FE
004EE115 |. 0F85 92000000 JNZ Foxit_Re.004EE1AD
– 2.pdf (offset 38439)
Foxit Reader access violates when attempting to read the address
0x00000040 (ECX – result of an addition to a null pointer).
0050E07C > 8B09 MOV ECX,DWORD PTR DS:[ECX]
0050E07E . 33D2 XOR EDX,EDX
0050E080 . 03C8 ADD ECX,EAX
0050E082 . 33C0 XOR EAX,EAX
0050E084 . 8A01 MOV AL,BYTE PTR DS:[ECX] <– Crash
0050E086 . 8A51 01 MOV DL,BYTE PTR DS:[ECX+1]
0050E089 . C1E0 08 SHL EAX,8
0050E08C . 03C2 ADD EAX,EDX
0050E08E > 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
– 3.pdf (offset 881130)
Foxit Reader access violates when attempting to read the address
0x00000014 (ECX)
00602180 /$ 8B41 14 MOV EAX,DWORD PTR DS:[ECX+14] <– Crash
00602183 |. 99 CDQ
00602184 |. 2BC2 SUB EAX,EDX
00602186 |. D1F8 SAR EAX,1
00602188 \. C3 RETN
– 4.pdf (offset 1026469)
Foxit Reader access violates when attempting to read the address
0x00000024
006009C0 /$ 51 PUSH ECX
006009C1 |. 8B41 0C MOV EAX,DWORD PTR DS:[ECX+C] <– Crash
006009C4 |. 85C0 TEST EAX,EAX
006009C6 |. 75 04 JNZ SHORT Foxit_Re.006009CC
006009C8 |. 59 POP ECX
006009C9 |. C2 0800 RETN 8
– 5.pdf (offset 4133719)
Foxit Reader access violates when attempting to read the address
0x00000000
004FBDED |. 57 PUSH EDI
004FBDEE |. 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C]
004FBDF2 |> 33D2 /XOR EDX,EDX
004FBDF4 |. 8A1439 |MOV DL,BYTE PTR DS:[ECX+EDI] <– Crash
004FBDF7 |. C1E0 08 |SHL EAX,8
004FBDFA |. 03C2 |ADD EAX,EDX
004FBDFC |. 41 |INC ECX
004FBDFD |. 3BCE |CMP ECX,ESI
004FBDFF |.^7C F1 \JL SHORT Foxit_Re.004FBDF2
Proof of Concept.
Sample files can be downloaded using the below link:
/advisories/SOS-11-008.zip
Solution.
A patch is available from Foxit and is included in the next
release (5).
Discovered by.
Sense of Security Labs.