ID ZDI-18-1100 Type zdi Reporter Steven Seeley (mr_me) of Source Incite Modified 2018-06-22T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Validate events. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.
{"id": "ZDI-18-1100", "bulletinFamily": "info", "title": "Foxit Reader TextBox Validate Use-After-Free Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Validate events. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.", "published": "2018-09-28T00:00:00", "modified": "2018-06-22T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-1100/", "reporter": "Steven Seeley (mr_me) of Source Incite", "references": ["https://www.foxitsoftware.com/support/security-bulletins.php"], "cvelist": ["CVE-2018-17619"], "type": "zdi", "lastseen": "2020-06-22T11:41:49", "edition": 1, "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-17619"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813264", "OPENVAS:1361412562310813263"]}], "modified": "2020-06-22T11:41:49", "rev": 2}, "score": {"value": 5.1, "vector": "NONE", "modified": "2020-06-22T11:41:49", "rev": 2}, "vulnersScore": 5.1}}
{"cve": [{"lastseen": "2020-12-09T20:25:38", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Validate events. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6352.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-29T21:29:00", "title": "CVE-2018-17619", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-17619"], "modified": "2019-10-09T23:36:00", "cpe": ["cpe:/a:foxitsoftware:reader:9.1.0.5096"], "id": "CVE-2018-17619", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17619", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:foxitsoftware:reader:9.1.0.5096:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-07-17T14:18:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-17619", "CVE-2018-17618", "CVE-2018-17621", "CVE-2018-17622", "CVE-2018-17615", "CVE-2018-17706", "CVE-2018-14295", "CVE-2018-17617", "CVE-2018-17616", "CVE-2018-17620", "CVE-2018-17624"], "description": "The host is installed with Foxit PhantomPDF\n and is prone to multiple code execution vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-07-20T00:00:00", "id": "OPENVAS:1361412562310813264", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813264", "type": "openvas", "title": "Foxit PhantomPDF 'JavaScript' Remote Code Execution Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Foxit PhantomPDF 'JavaScript' Remote Code Execution Vulnerabilities (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation;\n# either version 2 of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:foxitsoftware:phantompdf\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813264\");\n script_version(\"2019-07-05T10:16:38+0000\");\n script_cve_id(\"CVE-2018-14295\", \"CVE-2018-17706\", \"CVE-2018-17624\", \"CVE-2018-17622\",\n \"CVE-2018-17620\", \"CVE-2018-17621\", \"CVE-2018-17618\", \"CVE-2018-17619\",\n \"CVE-2018-17617\", \"CVE-2018-17615\", \"CVE-2018-17616\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 10:16:38 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-07-20 15:00:12 +0530 (Fri, 20 Jul 2018)\");\n script_name(\"Foxit PhantomPDF 'JavaScript' Remote Code Execution Vulnerabilities (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Foxit PhantomPDF\n and is prone to multiple code execution vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - The user-after-free vulnerability that exists in the JavaScript, When\n executing embedded JavaScript code a document can be cloned. which frees\n a lot of used objects, but the JavaScript can continue to execute.\n\n - The use-after-free vulnerability found in the Javascript engine that can\n result in remote code execution.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Foxit PhantomPDF versions before 9.2 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Foxit PhantomPDF version 9.2\n or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php#content-2018\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_foxit_phantom_reader_detect.nasl\");\n script_mandatory_keys(\"foxit/phantompdf/ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\npdfVer = infos['version'];\npdfPath = infos['location'];\n\nif(version_is_less(version:pdfVer, test_version:\"9.2\"))\n{\n report = report_fixed_ver(installed_version:pdfVer, fixed_version:\"9.2\", install_path:pdfPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:18:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14302", "CVE-2018-14281", "CVE-2018-17619", "CVE-2018-14283", "CVE-2018-11621", "CVE-2018-14264", "CVE-2018-14306", "CVE-2018-14276", "CVE-2018-14246", "CVE-2018-14272", "CVE-2018-14305", "CVE-2018-14290", "CVE-2018-14271", "CVE-2018-14243", "CVE-2018-14270", "CVE-2018-14241", "CVE-2018-14275", "CVE-2018-14304", "CVE-2018-14244", "CVE-2018-14258", "CVE-2018-14265", "CVE-2018-17618", "CVE-2018-14253", "CVE-2018-14309", "CVE-2018-14291", "CVE-2018-14286", "CVE-2018-17621", "CVE-2018-14257", "CVE-2018-14310", "CVE-2018-14254", "CVE-2018-17622", "CVE-2018-14279", "CVE-2018-14262", "CVE-2018-14301", "CVE-2018-3939", "CVE-2018-14274", "CVE-2018-14285", "CVE-2018-14260", "CVE-2018-14278", "CVE-2018-14307", "CVE-2018-17615", "CVE-2018-14293", "CVE-2018-14266", "CVE-2018-14315", "CVE-2018-14300", "CVE-2018-14294", "CVE-2018-14317", "CVE-2018-14312", "CVE-2018-14263", "CVE-2018-14297", "CVE-2018-14287", "CVE-2018-14242", "CVE-2018-14308", "CVE-2018-11617", "CVE-2018-14314", "CVE-2018-14249", "CVE-2018-14277", "CVE-2018-14261", "CVE-2018-14245", "CVE-2018-14273", "CVE-2018-14248", "CVE-2018-14316", "CVE-2018-14311", "CVE-2018-14292", "CVE-2018-14267", "CVE-2018-14247", "CVE-2018-11622", "CVE-2018-17617", "CVE-2018-14259", "CVE-2018-14313", "CVE-2018-14255", "CVE-2018-14268", "CVE-2018-14288", "CVE-2018-14298", "CVE-2018-17616", "CVE-2018-11620", "CVE-2018-11619", "CVE-2018-14256", "CVE-2018-17620", "CVE-2018-14269", "CVE-2018-11618", "CVE-2018-14284", "CVE-2018-14299", "CVE-2018-14289", "CVE-2018-17624", "CVE-2018-11623", "CVE-2018-3924", "CVE-2018-14280", "CVE-2018-14252", "CVE-2018-14303", "CVE-2018-14282", "CVE-2018-14251", "CVE-2018-14250"], "description": "The host is installed with Foxit Reader and\n is prone to multiple code execution vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-07-20T00:00:00", "id": "OPENVAS:1361412562310813263", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813263", "type": "openvas", "title": "Foxit Reader 'JavaScript' Remote Code Execution Vulnerabilities (Windows)", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Foxit Reader 'JavaScript' Remote Code Execution Vulnerabilities (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation;\n# either version 2 of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:foxitsoftware:reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813263\");\n script_version(\"2019-07-05T10:16:38+0000\");\n script_cve_id(\"CVE-2018-11617\", \"CVE-2018-11618\", \"CVE-2018-11619\", \"CVE-2018-11620\",\n \"CVE-2018-11621\", \"CVE-2018-11622\", \"CVE-2018-11623\", \"CVE-2018-14241\",\n \"CVE-2018-14242\", \"CVE-2018-14243\", \"CVE-2018-14244\", \"CVE-2018-14245\",\n \"CVE-2018-14246\", \"CVE-2018-14247\", \"CVE-2018-14248\", \"CVE-2018-14249\",\n \"CVE-2018-14250\", \"CVE-2018-14251\", \"CVE-2018-14252\", \"CVE-2018-14253\",\n \"CVE-2018-14254\", \"CVE-2018-14255\", \"CVE-2018-14256\", \"CVE-2018-14257\",\n \"CVE-2018-14258\", \"CVE-2018-14259\", \"CVE-2018-14260\", \"CVE-2018-14261\",\n \"CVE-2018-14262\", \"CVE-2018-14263\", \"CVE-2018-14264\", \"CVE-2018-14265\",\n \"CVE-2018-14266\", \"CVE-2018-14267\", \"CVE-2018-14268\", \"CVE-2018-14269\",\n \"CVE-2018-14270\", \"CVE-2018-14271\", \"CVE-2018-14272\", \"CVE-2018-14273\",\n \"CVE-2018-14274\", \"CVE-2018-14275\", \"CVE-2018-14276\", \"CVE-2018-14277\",\n \"CVE-2018-14278\", \"CVE-2018-14279\", \"CVE-2018-14280\", \"CVE-2018-14281\",\n \"CVE-2018-14282\", \"CVE-2018-14283\", \"CVE-2018-14284\", \"CVE-2018-14285\",\n \"CVE-2018-14286\", \"CVE-2018-14287\", \"CVE-2018-14288\", \"CVE-2018-14289\",\n \"CVE-2018-14290\", \"CVE-2018-14291\", \"CVE-2018-14292\", \"CVE-2018-14293\",\n \"CVE-2018-14294\", \"CVE-2018-14297\", \"CVE-2018-14298\", \"CVE-2018-14299\",\n \"CVE-2018-14300\", \"CVE-2018-14301\", \"CVE-2018-14302\", \"CVE-2018-14303\",\n \"CVE-2018-14304\", \"CVE-2018-14305\", \"CVE-2018-14306\", \"CVE-2018-14307\",\n \"CVE-2018-14308\", \"CVE-2018-14309\", \"CVE-2018-14310\", \"CVE-2018-14311\",\n \"CVE-2018-14312\", \"CVE-2018-14313\", \"CVE-2018-14314\", \"CVE-2018-14315\",\n \"CVE-2018-14316\", \"CVE-2018-14317\", \"CVE-2018-3924\", \"CVE-2018-3939\",\n \"CVE-2018-17624\", \"CVE-2018-17622\", \"CVE-2018-17620\", \"CVE-2018-17621\",\n \"CVE-2018-17618\", \"CVE-2018-17619\", \"CVE-2018-17617\", \"CVE-2018-17615\",\n \"CVE-2018-17616\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 10:16:38 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-07-20 15:00:12 +0530 (Fri, 20 Jul 2018)\");\n script_name(\"Foxit Reader 'JavaScript' Remote Code Execution Vulnerabilities (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Foxit Reader and\n is prone to multiple code execution vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - The user-after-free vulnerability that exists in the JavaScript, When\n executing embedded JavaScript code a document can be cloned. which frees\n a lot of used objects, but the JavaScript can continue to execute.\n\n - The use-after-free vulnerability found in the Javascript engine that can\n result in remote code execution.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Foxit Reader versions before 9.2 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Foxit Reader version 9.2\n or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php#content-2018\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_foxit_reader_detect_portable_win.nasl\");\n script_mandatory_keys(\"foxit/reader/ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\npdfVer = infos['version'];\npdfPath = infos['location'];\n\nif(version_is_less(version:pdfVer, test_version:\"9.2\"))\n{\n report = report_fixed_ver(installed_version:pdfVer, fixed_version:\"9.2\", install_path:pdfPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
