After discovering over 100 vulnerabilities in Foxit Reader, I figured it was about time I shared a full exploit chain that defeats ASLR and DEP. The first vulnerability is an uninitialized buffer that I found independently and was later killed by bit from meepwn. I leveraged this for an information leak to defeat ASLR. The second vulnerability is a use-after-free that I found, killed and leveraged for remote code execution.

TL;DR I walk through exploiting a two different bugs chained together to achieve reliable code execution on a Windows 7 & 10 x86 desktop against Foxit Reader 9.0.1.1049. Introduction Foxit Reader and PhantomPDF Reader are marketed as Fast, Affordable & Secure PDF Solutions However, as Adobe is aware, PDF parsing is a complex task and quite often error prone. Many vulnerabilities have been found inside of clientside PDF parsers and the fact that they need to support JavaScript creates an additional attack surface and greatly facilitates exploitation. Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability This vulnerability was assigned CVE-2018-9948 and published as by the. It was discovered by myself and bit from meepwn, however bit beat me too it reporting it to the ZDI. That, unfortunately, is how it rolls sometimes.

Let’s take a look at some poc code. A minimised poc can be see below that will trigger the vulnerability:%PDF 1 0 obj > 2 0 obj > trailer > After enabling page heap, we can see we can read back the (in)famous 0xc0c0c0c0 magic marker of where uninitialized data is. Triggering CVE-2018-9948 There are a couple of things to note about this vulnerability. The first thing is that this vulnerability cannot be discovered via traditional fuzzing, since the application will never crash.

I built a windbg plugin to help detect these types of vulnerabilities called bridgit. Bridgit is a JavaScript bridge plugin for Foxit Reader that helps facilitate with vulnerability discovery and exploitation. The other thing to note that all the TypedArray’s are vulnerable with a single allocation (just like the advisory states). We can confirm this by using bridgit.

Mar 16, 2018 - Business license key, foxit phantompdf business registration code. Reshebnik praktikum po matematike dlya podgotovki k ct fedorako. Foxit e3z t81 pdf PhantomPDF Business 7 Full Version. Foxit phantom pdf.

(31c.f70): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. Eax=1911bfa0 ebx=00000000 ecx=1911bfa0 edx=18b08001 esi=193aaff8 edi=1845ffc8 eip=008ecfb9 esp=03b7e814 ebp=03b7e82c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 FoxitReader!CertFreeCertificateChain+0x150bd9: 008ecfb9 8b01 mov eax,dword ptr [ecx] ds:0023:1911bfa0=???????? L4 FoxitReader!CertFreeCertificateChain+0x150bd9: 008ecfb9 8b01 mov eax,dword ptr [ecx] 008ecfbb 8b5008 mov edx,dword ptr [eax+8] 008ecfbe 56 push esi 008ecfbf ffd2 call edx This is classic use-after-free with a vtable call, so all we really need to do it control the allocation.

We already know that we can disclose memory locations. Exploitation We can disable page heap and set a breakpoint at the crash location to find the size of the freed object. • 2018-03-01 – Verified and sent to the • 2018-03-24 – Vulnerability acquired • 2018-03-30 – Vendor disclosure • 2018-04-20 – Patched and disclosed Conclusion Foxit Reader still has relatively little protections against memory corruption vulnerabilities. The developers rely heavily on operating system mitigations.

When you have a JavaScript attack surface, you best believe that operating system mitigations are not enough, application level mitigations such as control flow guard, isolated heap and a decent sandbox would have significantly impacted me in the development of this exploit. TypeArray's are simply too powerful againt most software products and facilitated immensely in the final exploit. They were used for the information disclosure (both.data and.text addresses), the heap spray and the object replacement.