<<< Date Index >>>     <<< Thread Index >>>

Foxit Reader Multiple Vulnerabilities (CORE-2009-0218)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
           http://www.coresecurity.com/corelabs/

Foxit Reader Multiple Vulnerabilities



1. *Advisory Information*

Title: Foxit Reader Multiple Vulnerabilities
Advisory ID: CORE-2009-0218
Advisory URL:
http://www.coresecurity.com/content/foxit-reader-vulnerabilities
Date published: 2009-03-09
Date of last update: 2009-03-09
Vendors contacted: Foxit Software
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Authorization bypass, Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 34035
CVE Name: CVE-2009-0836, CVE-2009-0837


3. *Vulnerability Description*

Foxit Reader is a lightweight, free PDF document viewer and printer. PDF
files may include actions (i.e., 'Go to a page view', 'Open/Execute a
file', 'Open a web link', 'Execute a menu item') associated with
different triggers (i.e., 'Mouse Up', 'Mouse Down', 'Page Visible',
'Page Invisible'). The way Foxit Reader handles an 'Open/Execute a file'
action makes the software victim of two kinds of vulnerabilities:
authorization bypass and buffer overflow.


4. *Vulnerable packages*

   . Foxit Reader 3.0 build 1120
   . Foxit Reader 3.0 build 1301
   . Older 3.0 builds are probably affected too, but they were not checked.


5. *Non-vulnerable packages*

   . Foxit Reader 3.0 build 1506


6. *Vendor Information, Solutions and Workarounds*

The latest version 3.0 build 1506 of Foxit Reader has been released.
Please download the latest version from
http://www.foxitsoftware.com/downloads/ and visit the Foxit security
page for details at http://www.foxitsoftware.com/pdf/reader/security.htm.


7. *Credits*

These vulnerabilities were discovered and researched by Francisco Falcón
from Core Security Technologies.


8. *Technical Description / Proof of Concept Code*

PDF files may include actions (i.e., 'Go to a page view', 'Open/Execute
a file', 'Open a web link', 'Execute a menu item') associated with
different triggers (i.e., 'Mouse Up', 'Mouse Down', 'Page Visible',
'Page Invisible'). The way Foxit Reader handles an 'Open/Execute a file'
action makes the software victim of two kinds of vulnerabilities.

The first one is an authorization bypass vulnerability (CVE-2009-0836).
If an 'Open/Execute a file' action is defined in the PDF file, when the
trigger condition is satisfied, Foxit Reader will open/execute the file
defined by the creator of the PDF file without asking the user for
confirmation. A proof of concept PDF file is included [4].

The second one is a stack-based buffer overflow (CVE-2009-0837). If an
'Open/Execute a file' action is defined in the PDF file with an overly
long filename argument, when the trigger condition is satisfied it will
cause a stack-based buffer overflow, because the application tries to
copy the filename argument to a fixed-size buffer in the stack without
properly checking that the buffer is large enough to hold the filename
string. Proof of concept PDF file also included [5].

If an 'Open/Execute a file' is defined in a PDF file, when the trigger
condition is satisfied, Foxit Reader first determines if the filename
argument has a relative path:

/-----------

00403029  |>  50            PUSH EAX
     ; /Path
0040302A  |.  FF15 10278D00 CALL DWORD PTR
DS:[<&SHLWAPI.PathIsRelativeA>]   ; \PathIsRelativeA
        
- -----------/

 If the 'PathIsRelativeA' API returns True, then Foxit Reader will
append the path of the current PDF file at the beginning of the filename
string. If the filename argument is large enough, it will cause a
stack-based buffer overflow when the application tries to concatenate
the path and the filename:

/-----------

004030B2  |>  55            PUSH EBP                                 ; /Arg5
004030B3  |.  50            PUSH EAX                                 ;
|Arg4 = filename with relative path
004030B4  |.  8D8424 600500>LEA EAX,DWORD PTR SS:[ESP+560]           ; |
004030BB  |.  8D8C24 200400>LEA ECX,DWORD PTR SS:[ESP+420]           ; |
004030C2  |.  50            PUSH EAX                                 ;
|Arg3 = path of the current PDF file
004030C3  |.  55            PUSH EBP                                 ; |Arg2
004030C4  |.  51            PUSH ECX                                 ;
|Arg1 = destination stack buffer
004030C5  |.  E8 06ED0A00   CALL Foxit_Re.004B1DD0                   ;
\Foxit_Re.004B1DD0
        
- -----------/

 Inside the function beginning at address 004B1DD0, the application
first copies the path of the current PDF file to the buffer located in
the stack:

/-----------

004B1DED  |>  8B75 08       MOV ESI,DWORD PTR SS:[EBP+8]             ;
ESI = destination stack buffer
004B1DF0  |>  8B55 10       MOV EDX,DWORD PTR SS:[EBP+10]            ;
EDX = path of the current PDF file
004B1DF3  |.  85D2          TEST EDX,EDX
004B1DF5  |.  8BCA          MOV ECX,EDX
004B1DF7  |.  74 28         JE SHORT Foxit_Re.004B1E21
004B1DF9  |.  8A02          MOV AL,BYTE PTR DS:[EDX]
004B1DFB  |.  84C0          TEST AL,AL
004B1DFD  |.  74 22         JE SHORT Foxit_Re.004B1E21
004B1DFF  |>  8806          /MOV BYTE PTR DS:[ESI],AL                ;
copy path to stack buffer
004B1E01  |.  8A41 01       |MOV AL,BYTE PTR DS:[ECX+1]
004B1E04  |.  46            |INC ESI
004B1E05  |.  41            |INC ECX
004B1E06  |.  84C0          |TEST AL,AL
004B1E08  |.^ 75 F5         \JNZ SHORT Foxit_Re.004B1DFF
        
- -----------/

 And after that, it appends the filename string:

/-----------

004B1E1D  |.  C606 5C       MOV BYTE PTR DS:[ESI],5C                 ;
append a '\' at the end of the path
004B1E20  |.  46            INC ESI                                  ;
point to the next destination byte
004B1E21  |>  8B45 14       MOV EAX,DWORD PTR SS:[EBP+14]            ;
EAX = filename with relative path
004B1E24  |.  85C0          TEST EAX,EAX
004B1E26  |.  8BC8          MOV ECX,EAX
004B1E28  |.  74 0F         JE SHORT Foxit_Re.004B1E39
004B1E2A  |.  8A00          MOV AL,BYTE PTR DS:[EAX]
004B1E2C  |>  84C0          /TEST AL,AL
004B1E2E  |.  74 09         |JE SHORT Foxit_Re.004B1E39
004B1E30  |.  8806          |MOV BYTE PTR DS:[ESI],AL                ;
copy filename to stack buffer
004B1E32  |.  8A41 01       |MOV AL,BYTE PTR DS:[ECX+1]
004B1E35  |.  46            |INC ESI
004B1E36  |.  41            |INC ECX
004B1E37  |.^ EB F3         \JMP SHORT Foxit_Re.004B1E2C
        
- -----------/

 Otherwise, if the filename argument has an absolute path, Foxit Reader
simply copies the filename to a buffer in the stack without checking its
length:

/-----------

004030FE  |.  8BF7          MOV ESI,EDI
     ; ESI = source filename argument
00403100  |.  8BFA          MOV EDI,EDX
     ; EDI = destination stack buffer
00403102  |.  C1E9 02       SHR ECX,2
     ; ECX = number of dwords to copy
00403105  |.  F3:A5         REP MOVS DWORD PTR ES:[EDI],DWORD PTR
DS:[ESI]   ; BUFFER OVERFLOW
        
- -----------/

 In both cases, with relative or absolute path, if the filename is large
enough, it will cause a buffer overflow in the stack, making it possible
for the attacker to overwrite return addresses and the Structured
Exception Handler, allowing the execution of arbitrary code with the
privileges of the current user.

Attackers may embed JavaScript code in the PDF file to spray the heap
with their shellcode before triggering the buffer overflow vulnerability.


9. *Report Timeline*

. 2009-02-20: Core Security Technologies notifies the Foxit Reader team
of the vulnerability.
. 2009-02-23: The Foxit Reader team asks Core for a technical
description of the vulnerability.
. 2009-02-23: Technical details sent to Foxit Reader team by Core.
. 2009-02-25: Vendor confirms the bugs and patches: a prompt was added
for local file execution and a length check for the buffer overflow.
Vendor comments that the patches will be sent to Core for confirmation.
. 2009-02-25: Core acknowledges and says that the patches will be tested.
. 2009-02-27: Vendor sends a link to download the patched Foxit Reader.
. 2009-03-03: Vendor asks for any information regarding the patch
confirmation.
. 2009-03-03: Core confirms the authorization bypass bug was fixed but
the buffer overflow fix raise another, more difficult to exploit, issue
related to a missing check of API HeapReAlloc returning a valid pointer
or not.
. 2009-03-04: Vendor says that once they detect a memory reallocation
failure, they will clear the buffer and make it empty.
. 2009-03-04: Core suggests that the proper thing to do is to enforce a
maximum length limit on the filename argument, as explained on
programming documentation [2].
. 2009-03-04: Vendor says that in the reallocation fail scenario, as the
application is already running out of memory, there is no way to
gracefully and reliably close the application.
. 2009-03-05: Core informs the vendor that the authorization bypass bug
has been independently discovered by another security researcher and
published on the Internet [3]. Also suggests to publish the patches and
advisory on the planned schedule, March 9th, disregarding any delay due
to the missing check in the patch including the call to HeapReAlloc.
. 2009-03-06: Vendor sends a new version and asks for fix.
. 2009-03-09: Vendor releases patches for this flaw to its customers.
. 2009-03-09: The advisory CORE-2009-0218 is published by Core and the
vendor is notified that the buffer overflow patch works as expected.


10. *References*

[1] Foxit Software Company http://www.foxitsoftware.com/
[2] File Names, Paths, and Namespaces
http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx
[3] Simple Remote code execution in PDF still riding..
http://blog.zoller.lu/2009/03/remote-code-execution-in-pdf-still.html
[4] Authorization bypass
http://www.coresecurity.com/files/attachments/CORE-2009-0218-PoC-authorization-bypass.pdf
[5] Buffer overflow
http://www.coresecurity.com/files/attachments/CORE-2009-0218-PoC-BOF.pdf


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.


12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJtXCwyNibggitWa0RAu8GAJ45qFT1lQnIKHD7TZEKcvKkSWtRegCfRHun
pTg5BtPWfDaeHh/o0Jc//Cw=
=M175
-----END PGP SIGNATURE-----