Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader


Vulnerabilities discovered by Aleksandar Nikolic of Cisco Talos

Overview


Cisco Talos is disclosing eightteen vulnerabilities in Foxit PDF Reader, a popular free program for viewing, creating and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin.



Details

 

TALOS-2018-0607


TALOS-2018-0607 / CVE-2018-3940 is an exploitable use-after-free vulnerability found in the JavaScript engine that can result in remote code execution. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code, a document can be closed, which frees numerous of used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'removeDataObject' method of the active document, resulting in arbitrary code execution.

There are a couple of different ways an adversary could leverage this attack, including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.


TALOS-2018-0608


TALOS-2018-0608 / CVE-2018-3941 is an exploitable use-after-free vulnerability found in the JavaScript engine that can result in remote code execution. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code, a document can be closed, which frees numerous used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'getNthFieldName' method of the active document resulting in arbitrary code execution.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.


TALOS-2018-0609


TALOS-2018-0609 / CVE-2018-3942 is an exploitable use-after-free vulnerability found in the JavaScript engine that can result in remote code execution. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code, a document can be closed, which frees numerous of used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'getPageRotation' method of the active document resulting in arbitrary code execution.

There are a couple of different ways an adversary could leverage this attack, including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.


TALOS-2018-0610


TALOS-2018-0610 / CVE-2018-3943 is an exploitable use-after-free vulnerability found in the JavaScript engine that can result in remote code execution. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code, a document can be closed, which frees many used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'getPageBox' method of the active document resulting in arbitrary code execution.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.


TALOS-2018-0611


TALOS-2018-0611 / CVE-2018-3944 is an exploitable use-after-free vulnerability found in the JavaScript engine that can result in remote code execution. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code, a document can be closed, which frees several used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'JSON.Stringify' method of the active document resulting in arbitrary code execution.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.


TALOS-2018-0612


TALOS-2018-0612 / CVE-2018-3945 is an exploitable use-after-free vulnerability found in the JavaScript engine that can result in remote code execution. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code, a document can be closed, which frees numerous of used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'this.info' object followed by calling the 'JSON.stringify' method of the active document resulting in arbitrary code execution.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.


TALOS-2018-0613


TALOS-2018-0613 / CVE-2018-3946 is an exploitable use-after-free vulnerability found in the JavaScript engine that can result in remote code execution. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code, a document can be closed, which frees numerous used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'getPageNthWord' method of the active document resulting in arbitrary code execution.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.

TALOS-2018-0628


TALOS-2018-0628 references a total of six separate use-after-free vulnerabilities (CVE-2018-3957, CVE-2018-3958, CVE-2018-3959, CVE-2018-3960, CVE-2018-3961, CVE-2018-3962) found in the JavaScript engine of Foxit PDF Reader that can be abused to execute arbitrary code.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.


TALOS-2018-0629


TALOS-2018-0629 / CVE-2018-3964 is a use-after-free vulnerability found in the JavaScript engine of Foxit PDF Reader that can be abused to execute arbitrary code. This particular vulnerability leverages the invocation of the 'getPageNumWords' method of the active document with a crafted object as an argument.


There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.


TALOS-2018-0630


TALOS-2018-0630 / CVE-2018-3965 is a use-after-free vulnerability found in the JavaScript engine of Foxit PDF Reader that can be abused to execute arbitrary code. This particular vulnerability leverages a saved reference to the 'this.bookmarkRoot.children' object, triggering the use-after-free condition.

There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.


TALOS-2018-0631


TALOS-2018-0631 / CVE-2018-3966 is a use-after-free vulnerability found in the JavaScript engine of Foxit PDF Reader which can be abused to execute arbitrary code. This particular vulnerability leverages a saved reference to the 'this.dataObjects' object, triggering the use-after-free condition.


There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.


TALOS-2018-0632


TALOS-2018-0632 / CVE-2018-3967 is a use-after-free vulnerability found in the JavaScript engine of Foxit PDF Reader that can be abused to execute arbitrary code. This particular vulnerability leverages a saved reference to the 'this.event.target' object, triggering the use-after-free condition.


There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted, malicious PDF or, if the browser plugin is enabled, the user could trigger the exploit by viewing the document in a web browser. Full details of the vulnerability can be found here.


TALOS-2018-0660


TALOS-2018-0660/CVE-2018-3992 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, it can also be triggered by visiting a malicious site.

As a complete feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have JavaScript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which essentially frees numerous of used objects, but the JavaScript can continue to execute. Changing a page at a precise moment after the document is closed can lead to use-after-free condition. Full details of the vulnerability can be found here.


TALOS-2018-0661


TALOS-2018-0661/CVE-2018-3993 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, it can also be triggered by visiting a malicious site.

This particular vulnerability lies in the way optional content groups (OCG) are manipulated. Saving an OCG and then accessing it's properties after the document is closed can trigger a use-after-free condition. Full details of the vulnerability can be found here.


TALOS-2018-0662


TALOS-2018-0662/CVE-2018-3994 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader, version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have JavaScript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which frees numerous used objects, but the JavaScript can continue to execute. Changing a page at a precise moment after the document is closed can lead to use-after-free condition.

Calling `app.activeDocs[0].calculateNow()` while opening a page allocates an extra object on the heap. When the code in the open action for the whole document is executed, calling `app.activeDocs[0].importDataObject();` can then dereference a freed object, leading to use-after-free condition. Full details of the vulnerability can be found here.


TALOS-2018-0663


TALOS-2018-0663/CVE-2018-3995 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have JavaScript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which essentially frees numerous of used objects, but the JavaScript can continue to execute. Changing a page at the precise moment after the document is closed can lead to use-after-free condition.

This particular vulnerability lies in saving a reference to the `SignatureInfo` object by invoking the `signatureInfo` method of a form field. When the document is closed, objects are freed and a use-after-free condition occurs if a stale reference is accessed. Full details of the vulnerability can be found here.


TALOS-2018-0664


TALOS-2018-0664/CVE-2018-3996 a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader, version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. A user could also trigger the vulnerability by visiting a malicious site while the browser plugin is enabled. As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have JavaScript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which essentially frees numerous of used objects, but the JavaScript can continue to execute. Changing a page at a precise moment after the document is closed can lead to use-after-free condition.

This particular vulnerability lies in invoking `isDefaultChecked` method of a field object with crafted object as argument, which can trigger a use-after-free condition. Full details of the vulnerability can be found here.


TALOS-2018-0665


TALOS-2018-0665/CVE-2018-3997 is a use-after-free vulnerability in the JavaScript engine of Foxit PDF Reader version 9.2.0.9297. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. A user could also trigger the vulnerability by visiting a malicious site while the browser plugin is enabled

As a feature-rich PDF reader, Foxit supports JavaScript for interactive documents and dynamic forms. A multipage PDF document can have Javascript actions attached to "page open" and "page close" events. When executing embedded JavaScript code, a document can be closed, which essentially frees numerous of used objects, but the JavaScript can continue to execute. Changing a page at a precise moment after the document is closed can lead to use-after-free condition.

If a reference to `SeedValue` object is saved by invoking `signatureGetSeedValue` method of a form field and the document is closed, objects are freed and accessing a stale reference results in a use-after-free condition. Full details of the vulnerability can be found here.


Coverage


The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 45158 - 45159, 45608 - 45609, 45652 - 45653, 45715 - 45716, 45823 - 45824, 46864 - 46865, 47727 - 47728


Share: Email, ReBlog, Twitter, Facebook, Pinterest, Google+
Newer Post: Newer Post
Older Post: Older Post
Date:
Edit this post

Discussion

Powered by Manual Template
Name

.NET 0-day 0day ACDSee Adobe advisory adwind AMP Android Antenna House antivirus apple APT arbitrary code execution Attribution Automation Bahamut BASS beers with talos bitcoin Bitvote Black Hat botnet Brazil BRKSEC-2010 CASC chrome cisco Cisco Live Cisco Security Clam AV ClamAV Cobalt group code injection command injection conferences Coverage cryptocurrency cryptomining CSV CTA CVE-2016-8610 CVE-2017-0199 cve-2017-11882 CVE-2017-5638 CVE-2018-3857 CVE-2018-3858 CVE-2018-3859 CVE-2018-3860 CVE-2018-3870 CVE-2018-3871 CVE-2018-8506 cybercrime dark cloud DDE Decryptor Def Con detection dispute DOC DoS Excel Exploit exploit kits RTF fast flux Flash formbook Foscam Foxit Fuzzing gandcrab google GoScanSSH gozi gplayed GravityRAT Group123 Hangul healthcare HWP Hyland IcedID ICS IDA Pro IMAP incident response India inesap infostealer intel iOS IoT iot malware iPhone IR isfb jRAT JScript kernel mode KevDroid Korea Linux macros MalDoc Malware Malware Analysis Malware Research MDM meltdown meraki Microsoft Microsoft Patch Tuesday Middle East miners mining mobile device management monero Moxa ms tuesday natus NavRAT new router malware NordVPN North Korea nvidia Office office router attack Olympic Destoryer Olympic Destroyer Olympics opsec password stealer patch tuesday PDF phishing PhotoLine PLC podcast pony Powershell privilege escalation ProntoVPN PTEX PubNub PubNubRAT py2exe Pyeongchang pyrebox python Qatar ransomware RAT remcos remote access tool remote code execution research research spotlight reven ReversingLabs Rocke Rockwell Automation ROKRAT rootkit rtf ruby ryptoShuffler samsam samsung Scriptlets security updates sennoma signatures SimpleDirect Media Layer smartthings Smoke Loader Snort Snort Rules Sony South Korea spam spectre spyeye stealer steam struts support Talos TALOS-2017-0507 talosintelligence.com telegrab telegram Tetrane Thanatos ThanatosDecryptor threat intelligence Threat Research Threat Research Summit Threat Round-up Threat Roundup ThreatGrid threats TIFF trickbot trojan TTRS Umbrella ursnif VBScript VMI vpn filter attack VPNFiler VPNFilter VPNFilter malware vuln dev vulndev vulnerabilities Vulnerability vulnerability analysis Vulnerability Report Vulnerability Research vulnerability spotlight vulnerabillity vulnerable routers Whitepaper Windows WindowsCodecs.dll wipers xamarin XSS
false
ltr
item
materialize material: Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader
Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX6ON4VgRWy00QtM44EvuSQ7DSCkHGk79ks5EIzM9t27kF4mxyb0mSaRxS0cI79ieYSaR6AeGezD7IfMBDNPiBHOcqPsTKPE9bbvpqBn7mneEz1pIcXgfnyWAO685g51BR1ctfL4Au5-Uj/s640/spotlight_vulnerability.jpg
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX6ON4VgRWy00QtM44EvuSQ7DSCkHGk79ks5EIzM9t27kF4mxyb0mSaRxS0cI79ieYSaR6AeGezD7IfMBDNPiBHOcqPsTKPE9bbvpqBn7mneEz1pIcXgfnyWAO685g51BR1ctfL4Au5-Uj/s72-c/spotlight_vulnerability.jpg
materialize material
https://materialize-material.blogspot.com/2018/10/vulnerability-spotlight-multiple-issues.html
https://materialize-material.blogspot.com/
http://materialize-material.blogspot.com/
http://materialize-material.blogspot.com/2018/10/vulnerability-spotlight-multiple-issues.html
true
1816414542238562206
UTF-8
Not found any posts Not found any related posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU Tag ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Contents See also related Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy