Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0198 Multiple vulnerabilities have been identified in Foxit Reader 9.0 and Foxit PhantomPDF 9.0. 15 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Foxit Reader Foxit PhantomPDF Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-14694 Member content until: Friday, December 15 2017 OVERVIEW Multiple vulnerabilities have been identified in Foxit Reader 9.0 and Foxit PhantomPDF 9.0. [1] IMPACT Foxit has provided the following details about the security vulnerabilities: "Brief Addressed potential issues where the application could be exposed to Type Confusion Remote Code Execution vulnerability. This occurs when executing certain XFA JavaScript functions in crafted PDF files since the application could transform non-CXFA_Node to CXFA_Node by force without judging the data type and use the discrepant CXFA_Node directly (ZDI-CAN-5015/ZDI-CAN-5016/ZDI-CAN-5017/ZDI-CAN-5018/ ZDI-CAN-5019/ZDI-CAN-5020/ZDI-CAN-5021/ZDI-CAN-5022/ZDI-CAN-5027/ ZDI-CAN-5029/ZDI-CAN-5288). Acknowledgement Steven Seeley (mr_me) of Offensive Security working with Trend Micro's Zero Day Initiative Anonymous working with Trend Micro's Zero Day Initiative Brief Addressed potential issues where the application could be exposed to Type Confusion Remote Code Execution vulnerability. This occurs when executing certain XFA FormCalc functions in crafted PDF files since the application could transform non-CXFA_Object to CXFA_Object by force without judging the data type and use the discrepant CXFA_Object directly (ZDI-CAN-5072/ZDI-CAN-5073). Acknowledgement Steven Seeley (mr_me) of Offensive Security working with Trend Micro's Zero Day Initiative Brief Addressed potential issues where the application could be exposed to Use-After-Free Remote Code Execution vulnerability due to the use of Annot object which has been freed (ZDI-CAN-4979/ZDI-CAN-4980/ZDI-CAN-4981/ZDI-CAN-5023/ZDI-CAN-5024/ ZDI-CAN-5025/ZDI-CAN-5026/ZDI-CAN-5028). Acknowledgement Steven Seeley (mr_me) of Offensive Security working with Trend Micro's Zero Day Initiative Brief Addressed potential issues where when the application is not running in Safe-Reading-Mode, it could be exposed to Out-of-Bounds Read Information Disclosure vulnerability with abusing the _JP2_Codestream_Read_SOT function (ZDI-CAN-4982/ZDI-CAN-5013/ZDI-CAN-4976/ZDI-CAN-4977/ZDI-CAN-5012/ ZDI-CAN-5244). Acknowledgement soiax working with Trend Micro's Zero Day Initiative kdot working with Trend Micro's Zero Day Initiative Carlos Garcia Prado working with Trend Micro's Zero Day Initiative Brief Addressed a potential issue where when the application is not running in Safe-Reading-Mode, it could be exposed to Out-of-Bounds Read Information Disclosure vulnerability due to abnormal memory access with abusing the lrt_jp2_decompress_write_stripe function call to open arbitrary file (ZDI-CAN-5014). Acknowledgement kdot working with Trend Micro's Zero Day Initiative Brief Addressed potential issues where the application could be exposed to Out-of-Bounds Read Information Disclosure vulnerability when rendering images with abusing the render.image function call to open a local PDF file (ZDI-CAN-5078/ZDI-CAN-5079). Acknowledgement Ashraf Alharbi (Ha5ha5hin) working with Trend Micro's Zero Day Initiative Brief Addressed a potential issue where when the application is not running in Safe-Reading-Mode, it could be exposed to Out-of-Bounds Read Information Disclosure vulnerability with abusing the GetBitmapWithoutColorKey function call to open an abnormal PDF file (ZDI-CAN-4978). Acknowledgement kdot working with Trend Micro's Zero Day Initiative Brief Addressed a potential issue where the application could be exposed to Out-of-Bounds Read Information Disclosure vulnerability due to uninitialized pointer with abusing the JP2_Format_Decom function call to open an abnormal PDF file (ZDI-CAN-5011). Acknowledgement kdot working with Trend Micro's Zero Day Initiative Brief Addressed potential issues where the application could be exposed to User-After-Free Remote Code Execution vulnerability due to the inconsistency of XFA nodes and XML nodes after deletion during data binding (ZDI-CAN-5091/ZDI-CAN-5092/ZDI-CAN-5289). Acknowledgement Anonymous working with Trend Micro's Zero Day Initiative Brief Addressed potential issues where the application could be exposed to User-After-Free Remote Code Execution vulnerability due to the use of document after it has been freed by closeDoc JavaScript (ZDI-CAN-5094/ZDI-CAN-5282/ZDI-CAN-5294/ZDI-CAN-5295/ZDI-CAN-5296). Acknowledgement Steven Seeley (mr_me) of Offensive Security working with Trend Micro's Zero Day Initiative Steven Seeley of Source Incite working with Trend Micro's Zero Day Initiative bit from meepwn team working with Trend Micro's Zero Day Initiative Brief Addressed a potential issue where when the application is running in single instance mode, it could be exposed to arbitrary code execution or denial of service vulnerability and fail to initialize PenInputPanel component by calling CoCreateInstance function when users open a PDF file by double click after launching the application (CVE-2017-14694). Acknowledgement Lin Wang, Beihang University, China Brief Addressed a potential issue where the application could be exposed to Buffer Overflow vulnerability when opening certain EPUB file due to the invalid length of size_file_name in CDRecord in the ZIP compression data. Acknowledgement Phil Blankenship of Cerberus Security Brief Addressed a potential issue where the application could be exposed to Type Confusion Remote Code Execution vulnerability when opening certain XFA files due to the use of discrepant data object during data binding (ZDI-CAN-5216). Acknowledgement Anonymous working with Trend Micro's Zero Day Initiative Brief Addressed a potential issue where the application could be exposed to Out-of-Bounds Read Information Disclosure vulnerability when the gflags app is enabled due to the incorrect resource loading which could lead to disordered file type filter (ZDI-CAN-5281). Acknowledgement Steven Seeley of Source Incite working with Trend Micro's Zero Day Initiative Brief Addressed a potential issue where the application could be exposed to Out-of-Bounds Read Information Disclosure vulnerability due to the calling of incorrect util.printf parameter (ZDI-CAN-5290). Acknowledgement Anonymous working with Trend Micro's Zero Day Initiative" [1] MITIGATION It is recommended to upgrade to the latest version of Foxit Reader or Foxit PhantomPDF to correct these issues. [1] REFERENCES [1] Security updates available in Foxit Reader 9.0 and Foxit PhantomPDF 9.0 https://www.foxitsoftware.com/support/security-bulletins.php AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWgvPiIx+lLeg9Ub1AQjgdQ//e5BbeSe19JzyVM9SE2WTMMcuKZZgXbvy d3Wn5C6do4Dkjgmy8kSeKDOAll0Z/PFdlYxAO7t27fDFHbgJP2iiEHTc+/MSQqT4 1bM0Z1QcM0Dgp5hLaCDerCBaGY+IYFdXoZVUtp2Ha4o2nQT5gkmtLZgVr6nx/+tD S9iQe1J3MsBcYtJBwPhuDFTcVgk1NKaLW69PFcucIm1ruMIvkshD1OU3FQZJ9L58 jytVr3eu9kqtx0uZKSeCXmdbj6ONUoHatpcCAoEyrJOLLbYqk6b7I27FWkIZjpdB dTSkn+l1stZR51hSLg7v58RdzLnu7LIfB0u4nvVdXLDH34ITkfHZGr4IKHoM6LmX ZqqK/0oeLaza2EqB1m0y9TlaXm6IPZp5EZNHukVdyDFyQ6QQAA43KELWbZzqnUD9 kWlGm9SwTC809Edjm9LKKubvTryvoDMcjH4/MyloQPMxC1leDvE9ZdMJNR667iZi L+ApMs6dJML3UMderXZTgZH/T37bXt++BzFukOaP0WX4+qyYGwjnWeeIrsbGiV2q +rQzAwf0zkHjRT1E88XXq7arDVIUDil8EWG7ybLdhSBtxpup4ziUT39JnBzsVBpq xrmHEL7VeC57fGKFgLgOmBmGAqQ9gc+Yo8HbM7mI6pOgowr3suHcn7S1g3HED0zh grVIvZcNy90= =K/XP -----END PGP SIGNATURE-----