ESB-2017.2088 - ALERT [Win] Foxit Reader: Multiple vulnerabilities 2017-08-21

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2088
       Multiple vulnerabilities have been identified in Foxit Reader
                              21 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Foxit Reader
Publisher:         Zero Day Initiative
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Overwrite Arbitrary Files       -- Remote with User Interaction
Resolution:        Mitigation
CVE Names:         CVE-2017-10952 CVE-2017-10951 

Original Bulletin: 
   http://www.zerodayinitiative.com/advisories/ZDI-17-691/
   http://www.zerodayinitiative.com/advisories/ZDI-17-692/

Comment: This bulletin contains two (2) Zero Day Initiative security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

(0Day) Foxit Reader launchURL Command Injection Remote Code Execution Vulnerability

ZDI-17-691: August 17th, 2017

CVE ID

CVE-2017-10951

CVSS Score

6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Affected Vendors

Foxit

Affected Products

Reader

Vulnerability Details


This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Foxit Reader. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page
or open a malicious file.

The specific flaw exists within app.launchURL method. The issue results
from the lack of proper validation of a user-supplied string before using
it to execute a system call. An attacker can leverage this vulnerability
to execute code under the context of the current process.

Vendor Response

Foxit states:


This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI 120 day deadline.

"Foxit Reader & PhantomPDF has a Safe Reading Mode which is enabled by
default to control the running of JavaScript, which can effectively guard
against potential vulnerabilities from unauthorized JavaScript actions."

05/18/17 - ZDI disclosed report to vendor
06/22/17 - ZDI inquired about status
06/26/17 - Vendor indicated that they could not reproduce the issue
06/26/17 - ZDI provided repro steps
06/26/17 - Vendor requested further repro details
07/06/17 - ZDI replied with sample scenario and the re-iterated the need for a fix
07/20/17 - The vendor indicated this will not be fixed because this can be mitigated by Secure Mode
08/08/17 - ZDI communicated that the proposed mitigation is not a fix and that the case will move to 0-day status

- -- Mitigation:
Given the nature of the vulnerability the only salient mitigation strategy
is to restrict interaction with the application to trusted files.

Disclosure Timeline

2017-05-18 - Vulnerability reported to vendor
2017-08-17 - Coordinated public release of advisory

Credit
This vulnerability was discovered by:

Ariele Caltabiano (kimiya)

- ------------

(0Day) Foxit Reader saveAs Arbitrary File Write Remote Code Execution Vulnerability

ZDI-17-692: August 17th, 2017

CVE ID

CVE-2017-10952

CVSS Score

7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Vendors

Foxit

Affected Products

Reader

Vulnerability Details


This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Foxit Reader. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page
or open a malicious file.

The specific flaw exists within the saveAs JavaScript function. The issue
results from the lack of proper validation of user-supplied data, which
can lead to writing arbitrary files into attacker controlled locations. An
attacker can leverage this vulnerability to execute code under the context
of the current process.

Vendor Response

Foxit states:


This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI 120 day deadline.

"Foxit Reader & PhantomPDF has a Safe Reading Mode which is enabled by
default to control the running of JavaScript, which can effectively guard
against potential vulnerabilities from unauthorized JavaScript actions."

06/22/17 - ZDI disclosed report to vendor
06/22/17 - Vendor acknowledged and communicated fix would be included in next version
06/22/17 - The vendor indicated this will not be fixed because this can be mitigated by Secure Mode
07/06/17 - ZDI replied with sample scenario and the re-iterated the need for a fix
07/20/17 - The vendor indicated this will not be fixed because this can be mitigated by Secure Mode
08/08/17 - ZDI communicated that the proposed mitigation is not a fix and that the case will move to 0-day status

- -- Mitigation:
Given the nature of the vulnerability the only salient mitigation strategy
is to restrict interaction with the application to trusted files.

Disclosure Timeline

2017-06-22 - Vulnerability reported to vendor
2017-08-17 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:

Steven Seeley (mr_me) of Offensive Security

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWZo9n4x+lLeg9Ub1AQikzA//c+DJrbxKUcbDuwVghS0nd0vGzxgo0S9s
8BB2pvbMxhwPr/9H2XTuw3EpzQpr4qECEJrr/90Rk03GcpU1mwF2xJKfAEY+7JuE
eWNCw8ebPZAx3GiQE3a6cZx6js4Lg2uJtv6BEnAswwqTg3iNqXyPGfNBoNmZg7st
1MeUa6M5D/j3KQrVkHC5tTUWabf04hGS39rABhmEy/3whaV1R2tZFzD6pS91XjG6
L19mzraoZqONQFGKYgfN+6h+oMl6sx7TTorCBor/Vd8WTGECGkb00OBIY+mzi3hv
kG5107JyuiY1sB2Qc1vIaSV/TQeavCjwUANOQSaSXCcgBhU/XdZXl8X6QYgdnPwl
zAv8ObJ3QnfszE2jOFDTcqrNOMD+RXNea6QNztwIyINxzgwW9riSLE1ZTfEAGNWn
zo3QVzCOnDuCizxTMQMIYr6WvbP8JknUevCAuJ4LunJD7d5PISZVXQWwGFEwT0eJ
u5XjCOOIVTJxdpQ2QUS2cx1tbtCDqqx3Ux3YBYvOd6PhEa3PyGum2yztkDKdXcfY
iQmvJKJt7HP3I9vx0NXVBqoXRfvGBJd8rbBpkBuArQGb+GYzE251sFYnPy5SHXEf
/yTRtYf3lHFG+p5G++5a6xRdLvIx6PAY9aDH+hQfOKFpwxVE2qbqspwkSDcyZk2m
O21W6CKqVkg=
=TlJZ
-----END PGP SIGNATURE-----

« Back to bulletins