In this Section

Security Advisory – Foxit Reader 4.3.1.0218 Multiple Memory Corruption Vulnerabilities

Sense of Security – Security Advisory – SOS-11-008

Release Date. 06-Jun-2011
Last Update.
Vendor Notification Date. 18-Apr-2011
Product. Foxit Reader
Platform. Windows
Affected versions. 4.3.1.0218 verified and possibly others.
Severity Rating. Low
Impact. Denial of Service
Potentially code execution
Attack Vector. Local System
Solution Status. Upgrade to 5 (as advised by Foxit)
CVE reference.

 

Details.

Foxit Reader is a popular freeware PDF viewer. Version

4.3.1.0218 of the applicaion is vulnerable to multiple memory

corruption vulnerabilities that could potentially lead to

code execution.

 

The details are as below:

– 1.pdf (offset 3294)

Foxit Reader access violates when attempting to read the address

0x00000000 (ESI).

 

004EE0FD |. 3C FE CMP AL,0FE

004EE0FF |. 75 06 JNZ SHORT Foxit_Re.004EE107

004EE101 |. 807E 01 FF CMP BYTE PTR DS:[ESI+1],0FF

004EE105 |. 74 14 JE SHORT Foxit_Re.004EE11B

004EE107 |> 8A06 MOV AL,BYTE PTR DS:[ESI] <– Crash

004EE109 |. 3C FF CMP AL,0FF

004EE10B |. 0F85 9C000000 JNZ Foxit_Re.004EE1AD

004EE111 |. 807E 01 FE CMP BYTE PTR DS:[ESI+1],0FE

004EE115 |. 0F85 92000000 JNZ Foxit_Re.004EE1AD

 

– 2.pdf (offset 38439)

Foxit Reader access violates when attempting to read the address

0x00000040 (ECX – result of an addition to a null pointer).

0050E07C > 8B09 MOV ECX,DWORD PTR DS:[ECX]

0050E07E . 33D2 XOR EDX,EDX

0050E080 . 03C8 ADD ECX,EAX

0050E082 . 33C0 XOR EAX,EAX

0050E084 . 8A01 MOV AL,BYTE PTR DS:[ECX] <– Crash

0050E086 . 8A51 01 MOV DL,BYTE PTR DS:[ECX+1]

0050E089 . C1E0 08 SHL EAX,8

0050E08C . 03C2 ADD EAX,EDX

0050E08E > 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]

 

– 3.pdf (offset 881130)

Foxit Reader access violates when attempting to read the address

0x00000014 (ECX)

00602180 /$ 8B41 14 MOV EAX,DWORD PTR DS:[ECX+14] <– Crash

00602183 |. 99 CDQ

00602184 |. 2BC2 SUB EAX,EDX

00602186 |. D1F8 SAR EAX,1

00602188 \. C3 RETN

 

– 4.pdf (offset 1026469)

Foxit Reader access violates when attempting to read the address

0x00000024

006009C0 /$ 51 PUSH ECX

006009C1 |. 8B41 0C MOV EAX,DWORD PTR DS:[ECX+C] <– Crash

006009C4 |. 85C0 TEST EAX,EAX

006009C6 |. 75 04 JNZ SHORT Foxit_Re.006009CC

006009C8 |. 59 POP ECX

006009C9 |. C2 0800 RETN 8

 

– 5.pdf (offset 4133719)

Foxit Reader access violates when attempting to read the address

0x00000000

004FBDED |. 57 PUSH EDI

004FBDEE |. 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C]

004FBDF2 |> 33D2 /XOR EDX,EDX

004FBDF4 |. 8A1439 |MOV DL,BYTE PTR DS:[ECX+EDI] <– Crash

004FBDF7 |. C1E0 08 |SHL EAX,8

004FBDFA |. 03C2 |ADD EAX,EDX

004FBDFC |. 41 |INC ECX

004FBDFD |. 3BCE |CMP ECX,ESI

004FBDFF |.^7C F1 \JL SHORT Foxit_Re.004FBDF2

 

Proof of Concept.

Sample files can be downloaded using the below link:

https://www.senseofsecurity.com.au/advisories/SOS-11-008.zip

 

Solution.

A patch is available from Foxit and is included in the next

release (5).

 

Discovered by.

Sense of Security Labs.