##################################################################################### Application: Foxit Reader PDF Parsing Memory Corruption Platforms: Windows Versions: 7.2.8.1124 and earlier Author: Francis Provencher of COSIG Website: http://www.protekresearchlab.com/ Twitter: @COSIG_ ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing. (http://en.wikipedia.org/wiki/Foxit_Reader) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-12-18: Francis Provencher from Protek Research Lab’s found the issue; 2016-01-02: Foxit Security Response Team confirmed the issue; 2016-01-21: Foxit fixed the issue; ##################################################################################### ============================ 3) Technical details ============================ This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. A specially crafted PDF can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process. ##################################################################################### =========== 4) POC =========== http://protekresearchlab.com/exploits/COSIG-2016-02.pdf https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39330.zip ###############################################################################