Two Zero-Day vulnerabilities discovered in Foxit PDF reader

Security researchers have discovered two critical zero-day security vulnerabilities in Foxit PDF Reader that could allow attackers to execute arbitrary code on a targeted computer, if the Safe Reading Mode is not enabled.

The first vulnerability (CVE-2017-10951) is a command injection bug discovered by researcher Ariele Caltabiano, while the second bug (CVE-2017-10952) is a file write issue found by Security researcher Steven Seeley.

An attacker can exploit these bugs by sending a specially crafted PDF file to a Foxit user and leveraging them to open it.

Foxit refused to patch these vulnerabilities as they would not work with the “safe reading mode” feature that fortunately comes enabled by default in Foxit Reader however researchers believe building a mitigation doesn’t patch the vulnerabilities completely, which if remained unpatched, could be exploited if attackers find a way to bypass safe reading mode in the near future.

Both unpatched vulnerabilities can be triggered through the JavaScript API in Foxit Reader.

CVE-2017-10951: The command injection bug resides in an app.launchURL function that executes strings provided by attackers on the targeted system due to lack of proper validation, as demonstrated in the video given below.

CVE-2017-10952: This vulnerability exists within the “saveAs” JavaScript function that allows attackers to write an arbitrary file on a targeted system at any specific location, as demonstrated in the video given below.
“This vulnerability was exploited by embedding an HTA file in the document, then calling saveAS to write it to the startup folder, thus executing arbitrary VBScript code on startup,” reads the advisory published by the ZDI.
MITIGATION & PREVENTION
Ensure that you have the “Safe Reading Mode” feature enabled. Additionally, you can also uncheck the “Enable JavaScript Actions” from Foxit’s Preferences menu, although this may break some functionality.
Always be vigilant while opening any files they received via email like in the case of opening a malicious PowerPoint file which could compromise your computer with malware.

Author: Cognore

Cyber Security Solution

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s