Foxit patched a dozen vulnerabilities in its PDF reader software this week, more than half of which could allow an attacker to directly execute arbitrary code on vulnerable installations of the product. The company released version 8.0 of its Foxit Reader and Foxit PhantomPDF on Monday, addressing vulnerabilities in builds 126.96.36.1991 and earlier of the product. Details around the issues weren’t publicly disclosed until two days later, on Wednesday, in coordination with the Zero Day Initiative.
Like most PDF vulnerabilities, user interaction is required to exploit any of the vulnerabilities, meaning an attacker would have to trick a user into either visiting a malicious page or opening a malicious PDF file. While eight of the vulnerabilities can directly result in remote code execution, technically all of the vulnerabilities could be used to execute code; some just need to be chained together with other vulnerabilities to do so. Five of the issues stem from a flaw in ConvertToPDF plugin, a Windows shell extension Foxit installs on machines alongside the Reader software for converting PDF files or combining supported files. To exploit the vulnerabilities an attacker could use an image file – either a BMP, TIFF, GIF, or JPEG image – to trigger a read memory past the end of an allocated buffer, or object. From there, depending on the vulnerability, an attacker could either leverage the vulnerability as is, or use it in conjunction with other vulnerabilities to “execute code in the context of the current process.” Some of the lower tier bugs exist in specialized functionalities within the software. Like one that exists in the way Reader reads embedded SWF files inside PDF files. Since the files run outside the “Safe Mode” context, an attacker could use the bug to disclose sensitive information on vulnerable builds of the Reader. Additional flaws exist in other functions within the software, like the decoder FlateDecode, exportData, how it handles the GoToR action, and how it handles PDF patterns. In exportData, because of a restrictions vulnerability, the software fails to properly check the path passed to exportData. With FlateDecode, a FlateDecode stream can force a dangling pointer to be reused after it has been freed. In memory safety, when dangling pointers get reused and memory isn’t allocated for it, it could lead to a use-after-free vulnerability, a memory corruption flaw that could be leveraged by hackers to execute arbitrary code. The GoToR action could lead to a stack buffer overflow, which could also allow an attacker unauthorized access and execute code. Researchers from Tencent’s Xuanwu LAB, Source Incite, and Fortinet’s Fortiguard Labs, many who worked alongside ZDI to disclose them, helped dig up the bugs. It’s the fourth time the company has patched Reader, a piece of software the company claims 400 million people use to view PDFs, this year.