Foxit Reader clearItems Type Confusion Remote Code Execution Vulnerability
2017-11-14T00:00:00
ID ZDI-17-893 Type zdi Reporter Anonymous Modified 2017-11-14T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the clearItems XFA method. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process.
{"viewCount": 1, "bulletinFamily": "info", "lastseen": "2017-11-14T22:37:04", "references": ["https://www.foxitsoftware.com/support/security-bulletins.php"], "href": "http://www.zerodayinitiative.com/advisories/ZDI-17-893", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "hash": "c6cc8b94d02accce589ba09cd75ef68509f2603fc8c0fd7fecccdb275c861be9", "cvelist": ["CVE-2017-16582"], "objectVersion": "1.3", "title": "Foxit Reader clearItems Type Confusion Remote Code Execution Vulnerability", "id": "ZDI-17-893", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the clearItems XFA method. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process.", "modified": "2017-11-14T00:00:00", "reporter": "Anonymous", "published": "2017-11-14T00:00:00", "enchantments": {"score": {"value": 5.0, "vector": "NONE", "modified": "2017-11-14T22:37:04"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-16582"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113075", "OPENVAS:1361412562310113073"]}, {"type": "kaspersky", "idList": ["KLA11162"]}], "modified": "2017-11-14T22:37:04"}, "vulnersScore": 5.0}, "edition": 1, "type": "zdi", "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "8560b2a42a5b21b0881228ca999c03b4"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "3c9959a8792eb0d693e208b363cbadd9"}, {"key": "href", "hash": "3d0b935fbd6626b6ff65b6e6ff29ccd0"}, {"key": "modified", "hash": "e8934db808a2020d238179a40a4c9b9e"}, {"key": "published", "hash": "e8934db808a2020d238179a40a4c9b9e"}, {"key": "references", "hash": "56316844e5c99601c043d8739045f148"}, {"key": "reporter", "hash": "7079c72c21415131774625ba1d64f4b0"}, {"key": "title", "hash": "4725eef4fa3a68413d64c8b311e1d6ef"}, {"key": "type", "hash": "3dd086b59554fe33c1b8f051475b4b31"}]}
{"cve": [{"lastseen": "2019-10-10T12:21:55", "bulletinFamily": "NVD", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.2.25013. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the clearItems XFA method. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5288.", "modified": "2019-10-09T23:25:00", "id": "CVE-2017-16582", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16582", "published": "2017-12-20T14:29:00", "title": "CVE-2017-16582", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:34:55", "bulletinFamily": "scanner", "description": "Foxit Reader 8.3.2 is vulnerable to multiple code execution and information disclosure vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2017-12-21T00:00:00", "id": "OPENVAS:1361412562310113075", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113075", "title": "Multiple vulnerabilities in Foxit Reader 8.3.2 (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Multiple vulnerabilities in Foxit Reader 8.3.2 (Linux)\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113075\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-12-21 11:48:49 +0100 (Thu, 21 Dec 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2017-16578\", \"CVE-2017-16579\", \"CVE-2017-16580\", \"CVE-2017-16581\",\n \"CVE-2017-16582\", \"CVE-2017-16583\", \"CVE-2017-16584\", \"CVE-2017-16585\",\n \"CVE-2017-16586\", \"CVE-2017-16587\");\n\n script_name(\"Multiple vulnerabilities in Foxit Reader 8.3.2 (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_foxit_reader_detect_lin.nasl\");\n script_mandatory_keys(\"foxit/reader/linux/ver\");\n\n script_tag(name:\"summary\", value:\"Foxit Reader 8.3.2 is vulnerable to multiple code execution and information disclosure vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"The script checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Foxit Reader 8.3.2 allows information disclosure through improper validation of user input. It also allows code execution via both improper object validation and improper user input validation that leads to a type confusion condition.\");\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to access sensitive information or execute code on the target host.\");\n script_tag(name:\"affected\", value:\"Foxit Reader 8.3.2 and before on Linux.\");\n script_tag(name:\"solution\", value:\"Update to Foxit Reader 9.0 or above.\");\n\n script_xref(name:\"URL\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php\");\n script_xref(name:\"URL\", value:\"https://www.foxitsoftware.com/de/pdf-reader/version-history.php\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:foxitsoftware:reader\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif(!infos = get_app_version_and_location( cpe: CPE, exit_no_version: TRUE )) exit(0);\nversion = infos['version'];\npath = infos['location'];\n\n# Version numbers in Foxit are a bit weird. 8.3.2 is equal to 8.3.2.25013, but the latter would be excluded in a version check of 8.3.2\nif( version_is_less_equal( version: version, test_version: \"8.3.2.25013\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"9.0\", install_path: path );\n security_message( data: report, port: 0 );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:55", "bulletinFamily": "scanner", "description": "Foxit Reader 8.3.2 is vulnerable to multiple code execution and information disclosure vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2017-12-21T00:00:00", "id": "OPENVAS:1361412562310113073", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113073", "title": "Multiple vulnerabilities in Foxit Reader 8.3.2 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Multiple vulnerabilities in Foxit Reader 8.3.2 (Windows)\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113073\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-12-21 11:48:49 +0100 (Thu, 21 Dec 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2017-16578\", \"CVE-2017-16579\", \"CVE-2017-16580\", \"CVE-2017-16581\",\n \"CVE-2017-16582\", \"CVE-2017-16583\", \"CVE-2017-16584\", \"CVE-2017-16585\",\n \"CVE-2017-16586\", \"CVE-2017-16587\");\n\n script_name(\"Multiple vulnerabilities in Foxit Reader 8.3.2 (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_foxit_reader_detect_portable_win.nasl\");\n script_mandatory_keys(\"foxit/reader/ver\");\n\n script_tag(name:\"summary\", value:\"Foxit Reader 8.3.2 is vulnerable to multiple code execution and information disclosure vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"The script checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Foxit Reader 8.3.2 allows information disclosure through improper validation of user input. It also allows code execution via both improper object validation and improper user input validation that leads to a type confusion condition.\");\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to access sensitive information or execute code on the target host.\");\n script_tag(name:\"affected\", value:\"Foxit Reader 8.3.2 and before on Windows.\");\n script_tag(name:\"solution\", value:\"Update to Foxit Reader 9.0 or above.\");\n\n script_xref(name:\"URL\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php\");\n script_xref(name:\"URL\", value:\"https://www.foxitsoftware.com/de/pdf-reader/version-history.php\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:foxitsoftware:reader\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif(!infos = get_app_version_and_location( cpe: CPE, exit_no_version: TRUE )) exit(0);\nversion = infos['version'];\npath = infos['location'];\n\n# Version numbers in Foxit are a bit weird. 8.3.2 is equal to 8.3.2.25013, but the latter would be excluded in a version check of 8.3.2\nif( version_is_less_equal( version: version, test_version: \"8.3.2.25013\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"9.0\", install_path: path );\n security_message( data: report, port: 0 );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2019-03-21T00:15:11", "bulletinFamily": "info", "description": "### *Detect date*:\n11/01/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Foxit Reader. Malicious users can exploit these vulnerabilities to obtain sensitive information and execute arbitrary code.\n\n### *Affected products*:\nFoxit Reader earlier than 9.0.0.29935 \nFoxit PhantomPDF earlier than 9.0.0.29935\n\n### *Solution*:\nUpdate to latest version \n[Download Foxit Reader](<https://www.foxitsoftware.com/downloads/#Foxit-Reader>) \n[Download Foxit PhantomPDF](<https://www.foxitsoftware.com/downloads/#Foxit-PhantomPDF-Business>)\n\n### *Original advisories*:\n[Security bulletins](<https://www.foxitsoftware.com/support/security-bulletins.php>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Foxit Reader](<https://threats.kaspersky.com/en/product/Foxit-Reader/>)\n\n### *CVE-IDS*:\n[CVE-2017-14834](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14834>)6.8Critical \n[CVE-2017-14835](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14835>)6.8Critical \n[CVE-2017-14836](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14836>)6.8Critical \n[CVE-2017-14837](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14837>)6.8Critical \n[CVE-2017-16571](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16571>)6.8Critical \n[CVE-2017-16572](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16572>)6.8Critical \n[CVE-2017-16573](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16573>)4.3Critical \n[CVE-2017-16574](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16574>)4.3Critical \n[CVE-2017-16575](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16575>)6.8Critical \n[CVE-2017-16576](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16576>)6.8Critical \n[CVE-2017-16577](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16577>)6.8Critical \n[CVE-2017-16578](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16578>)6.8Critical \n[CVE-2017-16579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16579>)4.3Critical \n[CVE-2017-16580](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16580>)4.3Critical \n[CVE-2017-16581](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16581>)6.8Critical \n[CVE-2017-16582](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16582>)6.8Critical \n[CVE-2017-16583](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16583>)6.8Critical \n[CVE-2017-16584](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16584>)4.3Critical \n[CVE-2017-16585](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16585>)6.8Critical \n[CVE-2017-16586](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16586>)6.8Critical \n[CVE-2017-16587](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16587>)6.8Critical \n[CVE-2017-16588](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16588>)4.3Critical \n[CVE-2017-16589](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16589>)4.3Critical \n[CVE-2017-10956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10956>)4.3Critical \n[CVE-2017-10957](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10957>)6.8Critical \n[CVE-2017-10958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10958>)6.8Critical \n[CVE-2017-10959](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10959>)6.8Critical \n[CVE-2017-14818](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14818>)4.3Critical \n[CVE-2017-14819](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14819>)4.3Critical \n[CVE-2017-14820](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14820>)4.3Critical \n[CVE-2017-14821](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14821>)4.3Critical \n[CVE-2017-14822](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14822>)4.3Critical \n[CVE-2017-14823](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14823>)6.8Critical \n[CVE-2017-14824](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14824>)6.8Critical \n[CVE-2017-14825](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14825>)6.8Critical \n[CVE-2017-14826](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14826>)6.8Critical \n[CVE-2017-14827](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14827>)6.8Critical \n[CVE-2017-14828](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14828>)6.8Critical \n[CVE-2017-14829](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14829>)6.8Critical \n[CVE-2017-14830](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14830>)6.8Critical \n[CVE-2017-14831](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14831>)6.8Critical \n[CVE-2017-14832](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14832>)6.8Critical \n[CVE-2017-14833](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14833>)6.8Critical", "modified": "2019-03-07T00:00:00", "published": "2017-11-01T00:00:00", "id": "KLA11162", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11162", "title": "\r KLA11162Multiple vulnerabilities in Foxit Reader ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
