Monday, September 30, 2019

Vulnerability Spotlight: Foxit PDF Reader JavaScript Array.includes remote code execution vulnerability


Aleksandar Nikolic of Cisco Talos discovered this vulnerability.

Foxit PDF Reader contains a remote code execution vulnerability in its JavaScript engine. Foxit aims to be one of the most feature-rich PDF readers on the market, and contains many similar functions to that of Adobe Acrobat Reader. The software uses JavaScript at several different points when opening a PDF. A bug exists in the JavaScript reading function that results in a large amount of memory to be allocated, which quickly uses up all available memory. An attacker could exploit this vulnerability to then gain the ability to remotely execute code.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Foxit to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Foxit PDF Reader JavaScript Array.includes remote code execution vulnerability (TALOS-2019-0793/CVE-2019-5031)

An exploitable memory corruption vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader, version 9.4.1.16828. A specially crafted PDF document can trigger an out-of-memory condition which isn't handled properly, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Foxit PDF Reader, version 9.4.1.16828 is affected by this vulnerability.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 49648, 49649

No comments:

Post a Comment