COSIG-2016-02

#####################################################################################

Application: Foxit Reader PDF Parsing Memory Corruption

Platforms: Windows

Versions: 7.2.8.1124 and earlier

Author: Francis Provencher of COSIG

Website: http://www.protekresearchlab.com/

Twitter: @COSIG_

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing.

(http://en.wikipedia.org/wiki/Foxit_Reader)

#####################################################################################

============================
2) Report Timeline
============================

2015-12-18: Francis Provencher from Protek Research Lab’s found the issue;
2016-01-02: Foxit Security Response Team confirmed the issue;
2016-01-21: Foxit fixed the issue;
#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader.

User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

A specially crafted PDF can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability

to execute arbitrary code under the context of the current process.

#####################################################################################

===========

4) POC

===========

Here

###############################################################################