Vulnerability version:
Foxit Reader
Vulnerability description:
Foxit Reader is a small PDF document viewer and print program.
Foxit Reader 5.4.3.0920 and other versions have a denial of service vulnerability when processing PDF files, which allows remote attackers to crash affected applications.
Test method:
@ Sebug.net dis
The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk!
1. Title: Foxit Reader suffers from Division By Zero
2. Version: 5.4.3.0920
3. Date: 2012-09-28
4. Vendor: http://www.foxitsoftware.com/
5. Impact: Med/High
6. Contact: coolkaveh [at] rocketmail.com
7. Twitter: @ coolkaveh
8. tested: XP SP3
9. ######################################## #############################
10. Bug:
11 .----
12. division by zero vulnerability during the handling of the pdf files.
13. that will trigger a denial of service condition
14.
15. ######################################## #############################
16. (b34.f24): Integer divide-by-zero-code c0000094 (first chance)
17. First chance exceptions are reported before any exception handling.
18. This exception may be expected and handled.
19. eax = ffffffff
20. ebx= 00000000
21. ecx= 00000000
22. edx = 00000000
23. esi = 00000000
24. edi = 00000000.
25. eip = 00558c8c
26. esp = 0012f928
27. ebp = 1, 00000000
28. iopl = 0 nv up ei pl zr na pe nc
29. cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 003b gs = 0000 efl = 00010246
30. *** ERROR: Module load completed but symbols cocould not be loaded for FoxitReader_Lib_Full.exe
31. FoxitReader_Lib_Full + 0x158c8c:
32. 00558c8c f7f7 div eax, edi
33. 0: 000> r ;! Exploitable-v; q
34. eax = ffffffff
35. ebx= 00000000
36. ecx = 00000000
37. edx = 00000000
38. esi = 00000000
39. edi = 00000000.
40. eip = 00558c8c
41. esp = 0012f928
42. ebp = 00000000 iopl = 0 nv up ei pl zr na pe nc
43. cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 003b gs = 0000 efl = 00010246
44. FoxitReader_Lib_Full + 0x158c8c:
45. 00558c8c f7f7 div eax, edi
46. how.achine \ HostUser
47. Executing Processor Architecture is x86
48. Debuggee is in User Mode
49. Debuggee is a live user mode debugging session on the local machine
50. Event Type: Exception
51. *** ERROR: Symbol file cocould not be found. Defaulted to export symbols for ntdll. dll-
52. Exception Faulting Address: 0x558c8c
53. First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC0000094)
54.
55. Faulting Instruction: 00558c8c div eax, edi
56.
57. Basic Block:
58. 00558c8c div eax, edi
59. Tainted Input Operands: ax, dx, eax, edi
60. 00558c8e cmp dword ptr [esp + 3ch], eax
61. Tainted Input Operands: eax
62. 00558c92 jae foxitreader_lib_full + 0x158f06 (00558f06)
63. Tainted Input Operands: CarryFlag
64.
65. Exception Hash (Major/Minor): 0x6461647c. 0x64616453
66.
67. Stack Trace:
68. FoxitReader_Lib_Full + 0x158c8c
69. Instruction Address: 0x0000000000558c8c
70.
71. Description: Integer Divide By Zero
72. Short Description: DivideByZero
73. Recommended Bug Title: Integer Divide By Zero starting at FoxitReader_Lib_Full + 0x0000000000158c8c (Hash = 0x6461647c. 0x64616453)
74. ######################################## #############################
75. www.2cto.com
76. Proof of concept. pdf encoded: http://www.exploit-db.com/sploits/21645.pdf
Security suggestions:
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.foxitsoft.com/wac/server_intro.php