Using Foxit Reader PDF Printer to achieve provided the right-vulnerability warning-the black bar safety net

Last year, I wrote an article about the Foxit Reader, tap the UAF vulnerability of the process, and how to exploit the vulnerability remote code execution attacks. After that, I’m in one of the articles described in Foxit Reader SDK ActiveX in a command injection vulnerability. The spirit does not give up do not abandon spirit, in the same year later I went to Foxit Reader a new component for in-depth research. To my surprise, in this Assembly and found a few allow limited elevation of privilege vulnerabilities, one vulnerability is particularly serious, so, this article was born.
Summary
We will send through a carefully constructed proxyDoAction request, to examine in detail CVE-2018-20310, which is located in the PDF Printer in a stack-based buffer overflow vulnerability, the attack vector, vulnerability analysis and using the method.
Software version
The paper describes a method already in 9. 3. 0. 912 version of the Foxit Reader software is tested, wherein the FoxitProxyServer_Socket_RD. exe binary file to the SHA1 value of: 0e1554311ba8dc04c18e19ec144b02a22b118eb7 it. This version is as of this writing the latest version.
Attack vector
PDF Printer is Foxit Reader of a function, mainly used for processing from the application to a PDF file of the print request. Install Foxit Reader, Foxit PDF Printer will be processing a print job to the default printer.
! [](/Article/UploadPic/2019-4/201942518172892. png)
From Chrome to print a document
This actually means that FoxitProxyServer_Socket_RD. exe binary file to start, at a medium integrity level run for a moment.
! [](/Article/UploadPic/2019-4/201942518172620. png)
From the application print a document, the FoxitProxyServer_Socket_RD. exe will be at a medium integrity level run
Only at this level running the moment of reason is the server default listening on localhost port 50000 and only accept a request. Once issued the request, it will close the port and terminate the execution. When the user try to use Foxit PDF Printer print to PDF, the attacker will be able to in the render tab of the execute code.
On this question an in-depth study later, can be found from the sandboxed process issues not disclosed in the ALPC request to use the default printer to start the print job. This means that the attacker does not need to FoxitProxyServer_Socket_RD. exe binary file to send a competition request.
Vulnerability analysis
In from the browser to print the page, we intercept many sent to Port 50000 of the request samples; thereafter, we discovered an important function, namely sub_41DBA0 it.
! [](/Article/UploadPic/2019-4/201942518172224. png)
sub_41DBA0 the code flow
This function is used to handle a variety of different types of requests, wherein the corresponding processing program in the above chart with blue highlighting to be displayed, including:
· proxyDoAction
· proxyPreviewAction
· proxyPopupsAction
· proxyCPDFAction
· proxyUpdatePreview
· proxyFinishPreview
· proxyCollectSysFont
· proxyGetImageSize
· proxyCheckLicence
· proxyGetAppEdition
· proxyInitLocalization
· proxyCreateDirectoryCascade
· proxyIEMoveFileEx
· proxySendFileAsEmailAttachment
Although some of the processing program is really highly available, but is not always possible to reach the vulnerable API, here, we will be proxyIEMoveFileEx as an example. The function accepts three parameters, it is actually one of the MoveFileExW call, and not the parameters of any inspection. However, since it cannot correctly parse the provided packet structure, therefore, the function is actually not used. Typically, a software developer in the publishing software will make the appropriate tests to ensure that they work properly! The following is the underlying API location:
. text:00420C85 loc_420C85: ; CODE XREF: sub_420930+331
. text:00420C85 push ebx ; dwFlags
. text:00420C86 push edi ; lpNewFileName
. text:00420C87 push eax ; lpExistingFileName
. text:00420C88 call ds:MoveFileExW
In a more in-depth reverse analysis, we found that the proxyDoAction is also a very interesting function, because an attacker can use it the operation of the code arrived in 5 different code path. The following is a check request packets in the proxyDoAction string related to the code:
! [](/Article/UploadPic/2019-4/201942518172692. png)
sub_41DBA0 function will check proxyDoAction request
That is, as long as able to provide the correct format of the request, we can eventually reach the handler:
! [](/Article/UploadPic/2019-4/201942518173450. png)
Used to reach the handler proxyDoAction request
In the handler, we can see it has 3 parameters:
! [](/Article/UploadPic/2019-4/201942518173936. png)

[1] [2] [3] [4] [5] [6] [7] next