Foxit Reader vulnerable to arbitrary command execution

2010-04-02T00:00:00
ID VU:570177
Type cert
Reporter CERT
Modified 2010-04-15T00:00:00

Description

Overview

Foxit Reader contains a vulnerability that may allow an attacker to execute arbitrary commands without requiring user interaction.

Description

Foxit Reader is software designed to view Portable Document Format (PDF) files. The Adobe PDF Reference supports a "Launch action" that "... launches an application or opens or prints a document." Foxit Reader uses the ShellExecute function to handle PDFs that use a Launch action. In some cases, Foxit Reader will not prompt the user before an application is launched with a Launch action. It is also reported that the Launch Action can be used to launch an executable that is included in the PDF document, which results in arbitrary code execution.


Impact

By convincing a user to open a PDF document, e.g. by visiting a website, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.


Solution

Apply an update

This issue is addressed in Foxit Reader 3.2.1.0401. This update will cause Foxit Reader to prompt the user before using a Launch Action.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Foxit Software Company| | 30 Mar 2010| 02 Apr 2010
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://blog.didierstevens.com/2010/03/29/escape-from-pdf/>
  • <http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/>
  • <http://www.adobe.com/devnet/acrobat/pdfs/pdf_reference_1-7.pdf>
  • <http://www.f-secure.com/weblog/archives/00001923.html>
  • <http://msdn.microsoft.com/en-us/library/bb762153%28VS.85%29.aspx>

Credit

This vulnerability was reported by Didier Stevens.

This document was written by Will Dormann.

Other Information

  • CVE IDs: Unknown
  • Date Public: 31 Mar 2010
  • Date First Published: 02 Apr 2010
  • Date Last Updated: 15 Apr 2010
  • Severity Metric: 33.17
  • Document Revision: 6