Foxit Reader zero Denial of Service Vulnerability

Source: Internet
Author: User
Tags tainted

Release date:
Updated on:

Affected Systems:
Foxit Reader
Description:
--------------------------------------------------------------------------------
Bugtraq id: 55734

Foxit Reader is a small PDF document viewer and print program.

Foxit Reader 5.4.3.0920 and other versions have a denial of service vulnerability when processing PDF files, which allows remote attackers to crash affected applications.

<* Source: coolkaveh
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Title: Foxit Reader suffers from Division By Zero
Version: 5.4.3.0920
Date: 2012-09-28
Vendor: http://www.foxitsoftware.com/
Impact: Med/High
Contact: coolkaveh [at] rocketmail.com
Twitter: @ coolkaveh
Tested: XP SP3
######################################## #############################
Bug:
----
Division by zero vulnerability during the handling of the pdf files.
That will trigger a denial of service condition

######################################## #############################
(B34.f24): Integer divide-by-zero-code c0000094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Eax = ffffffff
Ebx= 00000000
Ecx= 00000000
Edx = 00000000
Esi = 00000000
Edi = 1, 00000000
Eip = 00558c8c
Esp = 0012f928
Ebp = 1, 00000000
Iopl = 0 nv up ei pl zr na pe nc
Cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 003b gs = 0000 efl = 00010246
* ** ERROR: Module load completed but symbols cocould not be loaded for FoxitReader_Lib_Full.exe
FoxitReader_Lib_Full + 0x158c8c:
00558c8c f7f7 div eax, edi
0: 000> r ;! Exploitable-v; q
Eax = ffffffff
Ebx= 00000000
Ecx= 00000000
Edx = 00000000
Esi = 00000000
Edi = 1, 00000000
Eip = 00558c8c
Esp = 0012f928
Ebp = 00000000 iopl = 0 nv up ei pl zr na pe nc
Cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 003b gs = 0000 efl = 00010246
FoxitReader_Lib_Full + 0x158c8c:
00558c8c f7f7 div eax, edi
How.achine \ HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
* ** ERROR: Symbol file cocould not be found. Defaulted to export symbols for ntdll. dll-
Exception Faulting Address: 0x558c8c
First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC0000094)

Faulting Instruction: 00558c8c div eax, edi

Basic Block:
00558c8c div eax, edi
Tainted Input Operands: ax, dx, eax, edi
00558c8e cmp dword ptr [esp + 3ch], eax
Tainted Input Operands: eax
00558c92 jae foxitreader_lib_full + 0x158f06 (00558f06)
Tainted Input Operands: CarryFlag

Exception Hash (Major/Minor): 0x6461647c. 0x64616453

Stack Trace:
FoxitReader_Lib_Full + 0x158c8c
Instruction Address: 0x0000000000558c8c

Description: Integer Divide By Zero
Short Description: DivideByZero
Recommended Bug Title: Integer Divide By Zero starting at FoxitReader_Lib_Full + 0x0000000000158c8c (Hash = 0x6461647c. 0x64616453)
######################################## #############################

Proof of concept. pdf encoded: http://www.exploit-db.com/sploits/21645.pdf

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Foxit
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.foxitsoft.com/wac/server_intro.php

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.