Foxit Reader zero Denial of Service Vulnerabilities and repair solutions

Source: Internet
Author: User
Tags tainted

Vulnerability version:
Foxit Reader
Vulnerability description:

 
Foxit Reader is a small PDF document viewer and print program.
 
Foxit Reader 5.4.3.0920 and other versions have a denial of service vulnerability when processing PDF files, which allows remote attackers to crash affected applications.

Test method:
@ Sebug.net dis
The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk!
1. Title: Foxit Reader suffers from Division By Zero
2. Version: 5.4.3.0920
3. Date: 2012-09-28
4. Vendor: http://www.foxitsoftware.com/
5. Impact: Med/High
6. Contact: coolkaveh [at] rocketmail.com
7. Twitter: @ coolkaveh
8. tested: XP SP3
9. ######################################## #############################
10. Bug:
11 .----
12. division by zero vulnerability during the handling of the pdf files.
13. that will trigger a denial of service condition
14.
15. ######################################## #############################
16. (b34.f24): Integer divide-by-zero-code c0000094 (first chance)
17. First chance exceptions are reported before any exception handling.
18. This exception may be expected and handled.
19. eax = ffffffff
20. ebx= 00000000
21. ecx= 00000000
22. edx = 00000000
23. esi = 00000000
24. edi = 00000000.
25. eip = 00558c8c
26. esp = 0012f928
27. ebp = 1, 00000000
28. iopl = 0 nv up ei pl zr na pe nc
29. cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 003b gs = 0000 efl = 00010246
30. *** ERROR: Module load completed but symbols cocould not be loaded for FoxitReader_Lib_Full.exe
31. FoxitReader_Lib_Full + 0x158c8c:
32. 00558c8c f7f7 div eax, edi
33. 0: 000> r ;! Exploitable-v; q
34. eax = ffffffff
35. ebx= 00000000
36. ecx = 00000000
37. edx = 00000000
38. esi = 00000000
39. edi = 00000000.
40. eip = 00558c8c
41. esp = 0012f928
42. ebp = 00000000 iopl = 0 nv up ei pl zr na pe nc
43. cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 003b gs = 0000 efl = 00010246
44. FoxitReader_Lib_Full + 0x158c8c:
45. 00558c8c f7f7 div eax, edi
46. how.achine \ HostUser
47. Executing Processor Architecture is x86
48. Debuggee is in User Mode
49. Debuggee is a live user mode debugging session on the local machine
50. Event Type: Exception
51. *** ERROR: Symbol file cocould not be found. Defaulted to export symbols for ntdll. dll-
52. Exception Faulting Address: 0x558c8c
53. First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC0000094)
54.
55. Faulting Instruction: 00558c8c div eax, edi
56.
57. Basic Block:
58. 00558c8c div eax, edi
59. Tainted Input Operands: ax, dx, eax, edi
60. 00558c8e cmp dword ptr [esp + 3ch], eax
61. Tainted Input Operands: eax
62. 00558c92 jae foxitreader_lib_full + 0x158f06 (00558f06)
63. Tainted Input Operands: CarryFlag
64.
65. Exception Hash (Major/Minor): 0x6461647c. 0x64616453
66.
67. Stack Trace:
68. FoxitReader_Lib_Full + 0x158c8c
69. Instruction Address: 0x0000000000558c8c
70.
71. Description: Integer Divide By Zero
72. Short Description: DivideByZero
73. Recommended Bug Title: Integer Divide By Zero starting at FoxitReader_Lib_Full + 0x0000000000158c8c (Hash = 0x6461647c. 0x64616453)
74. ######################################## #############################
75. www.2cto.com
76. Proof of concept. pdf encoded: http://www.exploit-db.com/sploits/21645.pdf
Security suggestions:
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://www.foxitsoft.com/wac/server_intro.php
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.