Thursday, April 19, 2018

Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader

Overview

Talos is disclosing five vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available.  Update to the current version of Foxit PDF Reader.

Details

Vulnerabilities Discovered by Aleksandar Nikolic

TALOS-2017-0506

TALOS-2017-0506 / CVE-2017-14458 in an exploitable use-after-free vulnerability that exists specifically in the JavaScript engine of Foxit PDF Reader. When executing embedded JavaScript code, a document can be closed, which essentially frees up a lot of used objects, but the JavaScript can continue to execute. Taking advantage of this, a specially crafted PDF document can trigger a previously freed object in memory to be reused, which results in arbitrary code execution. There are a couple of different ways an adversary could leverage this attack, including tricking a user into opening a malicious PDF. Or, if the browser plugin is enabled, simply viewing the document on the internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0525

TALOS-2018-0525 / CVE-2018-3842 results from an exploitable use of an uninitialized pointer in the Javascript engine in the Foxit PDF Reader that can result in remote code execution. A specially craft PDF file could trigger this vulnerability. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0526

TALOS-2018-0526 / CVE-2018-3843 results from a type confusion vulnerability in the way Foxit PDF reader parses files with associated extensions. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution.  There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0532

TALOS-2018-0532 / CVE-2018-3850 is a use-after-free vulnerability that exists in the Javascript engine of the Foxit PDF Reader. This specific vulnerability lies in the 'this.xfa.clone()' method, which results in a use-after-free condition. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution.  There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0536

TALOS-2018-0536 / CVE-2018-3853 is a use-after-free vulnerability that exists in the JavaScript engine of the Foxit PDF Reader. The specific vulnerability lies in combinations of the 'createTemplate' and 'closeDoc' methods related to the JavaScript functionality of Foxit PDF Reader. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution.  There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 45158-45159, 45608-45609, 45652-45653, 45715-45716, 45823-45824





No comments:

Post a Comment