Release date:
Updated on:
Affected Systems:
Foxit Reader
Description:
--------------------------------------------------------------------------------
Bugtraq id: 55734
Foxit Reader is a small PDF document viewer and print program.
Foxit Reader 5.4.3.0920 and other versions have a denial of service vulnerability when processing PDF files, which allows remote attackers to crash affected applications.
<* Source: coolkaveh
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Title: Foxit Reader suffers from Division By Zero
Version: 5.4.3.0920
Date: 2012-09-28
Vendor: http://www.foxitsoftware.com/
Impact: Med/High
Contact: coolkaveh [at] rocketmail.com
Twitter: @ coolkaveh
Tested: XP SP3
######################################## #############################
Bug:
----
Division by zero vulnerability during the handling of the pdf files.
That will trigger a denial of service condition
######################################## #############################
(B34.f24): Integer divide-by-zero-code c0000094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Eax = ffffffff
Ebx= 00000000
Ecx= 00000000
Edx = 00000000
Esi = 00000000
Edi = 1, 00000000
Eip = 00558c8c
Esp = 0012f928
Ebp = 1, 00000000
Iopl = 0 nv up ei pl zr na pe nc
Cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 003b gs = 0000 efl = 00010246
* ** ERROR: Module load completed but symbols cocould not be loaded for FoxitReader_Lib_Full.exe
FoxitReader_Lib_Full + 0x158c8c:
00558c8c f7f7 div eax, edi
0: 000> r ;! Exploitable-v; q
Eax = ffffffff
Ebx= 00000000
Ecx= 00000000
Edx = 00000000
Esi = 00000000
Edi = 1, 00000000
Eip = 00558c8c
Esp = 0012f928
Ebp = 00000000 iopl = 0 nv up ei pl zr na pe nc
Cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 003b gs = 0000 efl = 00010246
FoxitReader_Lib_Full + 0x158c8c:
00558c8c f7f7 div eax, edi
How.achine \ HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
* ** ERROR: Symbol file cocould not be found. Defaulted to export symbols for ntdll. dll-
Exception Faulting Address: 0x558c8c
First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC0000094)
Faulting Instruction: 00558c8c div eax, edi
Basic Block:
00558c8c div eax, edi
Tainted Input Operands: ax, dx, eax, edi
00558c8e cmp dword ptr [esp + 3ch], eax
Tainted Input Operands: eax
00558c92 jae foxitreader_lib_full + 0x158f06 (00558f06)
Tainted Input Operands: CarryFlag
Exception Hash (Major/Minor): 0x6461647c. 0x64616453
Stack Trace:
FoxitReader_Lib_Full + 0x158c8c
Instruction Address: 0x0000000000558c8c
Description: Integer Divide By Zero
Short Description: DivideByZero
Recommended Bug Title: Integer Divide By Zero starting at FoxitReader_Lib_Full + 0x0000000000158c8c (Hash = 0x6461647c. 0x64616453)
######################################## #############################
Proof of concept. pdf encoded: http://www.exploit-db.com/sploits/21645.pdf
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Foxit
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.foxitsoft.com/wac/server_intro.php