Thursday, July 19, 2018

Vulnerability Spotlight: Foxit PDF Reader JavaScript Remote Code Execution Vulns

Overview

Discovered by Aleksandar Nikolic of Cisco Talos.

Talos is disclosing a pair of vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available.

TALOS-2018-0588



TALOS-2018-0588 / CVE-2018-3924 is an exploitable user-after-free vulnerability that exists in the JavaScript engine of Foxit's PDF Reader. As a complete feature-rich PDF reader Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code a document can be cloned, which frees a lot of used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'mailForm' method of the active document resulting in arbitrary code execution.

A specially crafted PDF file could trigger this vulnerability. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0606


TALOS-2018-0606 / CVE-2018-3939 is an exploitable use-after-free vulnerability found in the Javascript engine that can result in remote code execution.  As a complete feature-rich PDF reader Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code a document can be closed, which frees a lot of used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the 'createTemplate' method of the active document resulting in arbitrary code execution.

A specially crafted PDF file could trigger this vulnerability. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

Coverage


The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 46457-46458, 46864-46865

For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal: http://www.talosintelligence.com/vulnerability-reports/

To review our Vulnerability Disclosure Policy, please visit this site:
http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html

No comments:

Post a Comment