Indeed, si.hta got created in the StartUp folder.
Pressing "OK" was enough to disable Safe Reading Mode and get our code executed. Opening the POC in Foxit Reader with default/recommended configuration resulted in the Safe Reading Mode warning.
FOXIT READER KEEPS CRASHING PDF
Reproducing the issue was simple: we downloaded and installed the latest version of Foxit Reader (8.5) and put the above code into a sample PDF file to get our POC. ”/AppData/Roaming/Microsoft/Windows/STARTM~1/Programs/Startup/si.hta") Īs a result, when the user logged in to Windows the next time, this HTA file would get executed. For example, a PDF document containing a block with some script anywhere in it could simply save itself as an HTA file (locally executable HTML file) in user's StartUp folder like this: So we set upon creating a micropatch for CVE-2017-10952, allowing a script inside a PDF document to use the saveAs function to save itself to an arbitrarily chosen location on user's computer, using an arbitrarily chosen file extension. While we're usually patching memory corruption bugs (most critical remotely exploitable vulns are of that sort), we're happy to demonstrate that in-memory micrpatching can just as well be used for fixing logical bugs - at least temporarily, until the official vendor fix is applied. We at 0patch like a challenge as much as the next guy. Insecure) JavaScript functions - this will make Foxit software With additional guard against misuse of powerful (potentially
FOXIT READER KEEPS CRASHING UPDATE
They also announced their plan to " release a Reader/PhantomPDF 8.3.2 patch update this week (ETA Aug 25th) OnlyĬertified documents can run these powerful JS functions even when “Safe JavaScript functions, the software will check if the document isĭigitally signed by a verifiable/trustworthy person of entity. PDF document contains these powerful ( and thus potentially insecure)
Finally, Alex Inführ reminded us that he also found an reported two similar issues to Foxit before.įoxit stated that they would " add an additional guard in PhantomPDF/Reader code where when opening a ZDI then moved to publish proof-of-concept details, which resulted in Foxit deciding to address these issues anyway. Foxit said they would not fix these issues as their exploitation requires the user to disable Secure Mode and thus allow unsafe JavaScript code to execute. In short, ZDI reported to Foxit two security issues in its Reader and PhantomPDF products discovered by Steven Seeley and Ariele Caltabiano. A bit of introduction: last week we could all witness a familiar "It's a vuln - no it's not" dance, this time featuring Zero Day Initiative and Foxit Software.
0 kommentar(er)
