Foxit Reader U3D Final Maximum Resolution Out-Of-Bounds Read Information Disclosure Vulnerability
2018-05-04T00:00:00
ID ZDI-18-403 Type zdi Reporter kdot Modified 2018-06-22T00:00:00
Description
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of the U3D Final Maximum Resolution attribute. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.
{"id": "ZDI-18-403", "bulletinFamily": "info", "title": "Foxit Reader U3D Final Maximum Resolution Out-Of-Bounds Read Information Disclosure Vulnerability", "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of the U3D Final Maximum Resolution attribute. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.", "published": "2018-05-04T00:00:00", "modified": "2018-06-22T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-403/", "reporter": "kdot", "references": ["https://www.foxitsoftware.com/support/security-bulletins.php"], "cvelist": ["CVE-2018-10493"], "type": "zdi", "lastseen": "2020-06-22T11:41:11", "edition": 1, "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-10493"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813156"]}], "modified": "2020-06-22T11:41:11", "rev": 2}, "score": {"value": 3.8, "vector": "NONE", "modified": "2020-06-22T11:41:11", "rev": 2}, "vulnersScore": 3.8}}
{"cve": [{"lastseen": "2020-12-09T20:25:30", "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of the U3D Final Maximum Resolution attribute. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5426.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2018-05-17T15:29:00", "title": "CVE-2018-10493", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10493"], "modified": "2020-08-28T15:10:00", "cpe": ["cpe:/a:foxitsoftware:phantompdf:9.0.1.1049", "cpe:/a:foxitsoftware:foxit_reader:9.0.1.1049"], "id": "CVE-2018-10493", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10493", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:foxitsoftware:phantompdf:9.0.1.1049:*:*:*:*:*:*:*", "cpe:2.3:a:foxitsoftware:foxit_reader:9.0.1.1049:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-07-17T14:18:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1180", "CVE-2018-5676", "CVE-2018-10476", "CVE-2018-9977", "CVE-2018-10495", "CVE-2018-10490", "CVE-2018-5680", "CVE-2018-9961", "CVE-2018-10493", "CVE-2018-9982", "CVE-2018-9935", "CVE-2018-1173", "CVE-2018-9968", "CVE-2018-9984", "CVE-2018-9951", "CVE-2018-10485", "CVE-2018-9964", "CVE-2018-5679", "CVE-2018-9952", "CVE-2018-10475", "CVE-2018-9979", "CVE-2018-9959", "CVE-2018-5677", "CVE-2018-9962", "CVE-2018-10303", "CVE-2018-1177", "CVE-2018-9963", "CVE-2018-9958", "CVE-2018-9940", "CVE-2018-9975", "CVE-2018-9941", "CVE-2018-9948", "CVE-2018-10483", "CVE-2018-5675", "CVE-2018-1178", "CVE-2018-10473", "CVE-2018-9971", "CVE-2018-3939", "CVE-2018-9947", "CVE-2018-10480", "CVE-2018-9954", "CVE-2018-9938", "CVE-2018-9939", "CVE-2018-10478", "CVE-2018-3843", "CVE-2018-9949", "CVE-2018-17623", "CVE-2018-1176", "CVE-2018-10474", "CVE-2018-10484", "CVE-2018-9976", "CVE-2018-9983", "CVE-2018-9981", "CVE-2018-10482", "CVE-2018-9956", "CVE-2018-10492", "CVE-2018-9936", "CVE-2017-17557", "CVE-2018-10302", "CVE-2018-5678", "CVE-2018-10477", "CVE-2018-10494", "CVE-2018-3853", "CVE-2018-10479", "CVE-2018-9972", "CVE-2018-9943", "CVE-2018-9974", "CVE-2018-10487", "CVE-2018-5674", "CVE-2018-1179", "CVE-2018-9965", "CVE-2018-9942", "CVE-2018-9980", "CVE-2018-9969", "CVE-2018-7407", "CVE-2018-3842", "CVE-2018-9978", "CVE-2018-9945", "CVE-2018-9955", "CVE-2018-9950", "CVE-2018-1174", "CVE-2018-9966", "CVE-2018-9957", "CVE-2018-9946", "CVE-2018-10486", "CVE-2018-9960", "CVE-2018-3924", "CVE-2018-1175", "CVE-2018-10488", "CVE-2018-9944", "CVE-2018-10489", "CVE-2018-9937", "CVE-2018-9967", "CVE-2018-9970", "CVE-2018-3850", "CVE-2018-10491", "CVE-2018-10481", "CVE-2018-9973", "CVE-2018-9953", "CVE-2017-14458"], "description": "The host is installed with Foxit Reader\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-04-25T00:00:00", "id": "OPENVAS:1361412562310813156", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813156", "type": "openvas", "title": "Foxit Reader Multiple Vulnerabilities-Apr18 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Foxit Reader Multiple Vulnerabilities-Apr18 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:foxitsoftware:reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813156\");\n script_version(\"2019-07-05T10:16:38+0000\");\n script_cve_id(\"CVE-2017-14458\", \"CVE-2017-17557\", \"CVE-2018-10302\", \"CVE-2018-10303\",\n \"CVE-2018-10473\", \"CVE-2018-10474\", \"CVE-2018-10475\", \"CVE-2018-10476\",\n \"CVE-2018-10477\", \"CVE-2018-10478\", \"CVE-2018-10479\", \"CVE-2018-10480\",\n \"CVE-2018-10481\", \"CVE-2018-10482\", \"CVE-2018-10483\", \"CVE-2018-10484\",\n \"CVE-2018-10485\", \"CVE-2018-10486\", \"CVE-2018-10487\", \"CVE-2018-10488\",\n \"CVE-2018-10489\", \"CVE-2018-10490\", \"CVE-2018-10491\", \"CVE-2018-10492\",\n \"CVE-2018-10493\", \"CVE-2018-10494\", \"CVE-2018-10495\", \"CVE-2018-1173\",\n \"CVE-2018-1174\", \"CVE-2018-1175\", \"CVE-2018-1176\", \"CVE-2018-1177\",\n \"CVE-2018-1178\", \"CVE-2018-1179\", \"CVE-2018-1180\", \"CVE-2018-3842\",\n \"CVE-2018-3843\", \"CVE-2018-3850\", \"CVE-2018-3853\", \"CVE-2018-5674\",\n \"CVE-2018-5675\", \"CVE-2018-5676\", \"CVE-2018-5677\", \"CVE-2018-5678\",\n \"CVE-2018-5679\", \"CVE-2018-5680\", \"CVE-2018-7407\", \"CVE-2018-9935\",\n \"CVE-2018-9936\", \"CVE-2018-9937\", \"CVE-2018-9938\", \"CVE-2018-9939\",\n \"CVE-2018-9940\", \"CVE-2018-9941\", \"CVE-2018-9942\", \"CVE-2018-9943\",\n \"CVE-2018-9944\", \"CVE-2018-9945\", \"CVE-2018-9946\", \"CVE-2018-9947\",\n \"CVE-2018-9948\", \"CVE-2018-9949\", \"CVE-2018-9950\", \"CVE-2018-9951\",\n \"CVE-2018-9952\", \"CVE-2018-9953\", \"CVE-2018-9954\", \"CVE-2018-9955\",\n \"CVE-2018-9956\", \"CVE-2018-9957\", \"CVE-2018-9958\", \"CVE-2018-9959\",\n \"CVE-2018-9960\", \"CVE-2018-9961\", \"CVE-2018-9962\", \"CVE-2018-9963\",\n \"CVE-2018-9964\", \"CVE-2018-9965\", \"CVE-2018-9966\", \"CVE-2018-9967\",\n \"CVE-2018-9968\", \"CVE-2018-9969\", \"CVE-2018-9970\", \"CVE-2018-9971\",\n \"CVE-2018-9972\", \"CVE-2018-9973\", \"CVE-2018-9974\", \"CVE-2018-9975\",\n \"CVE-2018-9976\", \"CVE-2018-9977\", \"CVE-2018-9978\", \"CVE-2018-9979\",\n \"CVE-2018-9980\", \"CVE-2018-9981\", \"CVE-2018-9982\", \"CVE-2018-9983\",\n \"CVE-2018-9984\", \"CVE-2018-3924\", \"CVE-2018-3939\", \"CVE-2018-17623\");\n script_bugtraq_id(105602);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 10:16:38 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-25 14:35:06 +0530 (Wed, 25 Apr 2018)\");\n script_name(\"Foxit Reader Multiple Vulnerabilities-Apr18 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Foxit Reader\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An error where the application passes an insufficiently qualified path in\n loading an external library when a user launches the application.\n\n - A heap buffer overflow error.\n\n - Multiple use-after-free errors.\n\n - The use of uninitialized new 'Uint32Array' object or member variables in\n 'PrintParams' or 'm_pCurContex' objects.\n\n - An incorrect memory allocation, memory commit, memory access, or array access.\n\n - Type Confusion errors.\n\n - An error in 'GoToE' & 'GoToR' Actions.\n\n - An out-of-bounds read error in the '_JP2_Codestream_Read_SOT' function.\n\n - An error since the application did not handle a COM object properly.\n\n - An error allowing users to embed executable files.\n\n - U3D out-of-bounds read, write and access errors.\n\n - U3D uninitialized pointer error.\n\n - U3D heap buffer overflow or stack-based buffer overflow error.\n\n - An error when the application is not running in safe-reading-mode and can\n be abused via '_JP2_Codestream_Read_SOT' function.\n\n - U3D Type Confusion errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause a denial of service condition, execute arbitrary code and\n gain access to sensitive data from memory.\");\n\n script_tag(name:\"affected\", value:\"Foxit Reader versions 9.0.1.1049 and prior on windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Foxit Reader version 9.1 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.foxitsoftware.com/support/security-bulletins.php#content-2018\");\n script_xref(name:\"URL\", value:\"https://www.securitytracker.com/id/1040733\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_foxit_reader_detect_portable_win.nasl\");\n script_mandatory_keys(\"foxit/reader/ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\npdfVer = infos['version'];\npdfPath = infos['location'];\n\n## 9.1 == 9.1.0.5096\nif(version_is_less(version:pdfVer, test_version:\"9.1.0.5096\"))\n{\n report = report_fixed_ver(installed_version:pdfVer, fixed_version:\"9.1\", install_path:pdfPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
