SB2018042003 - Multiple vulnerabilities in Foxit Reader and PhantomPDF

Description

This security bulletin contains information about 17 secuirty vulnerabilities.

1) Insecure DLL loading (CVE-ID: N/A)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insecure .dll loading mechanism when opening files. A remote attacker can place a file along with specially crafted .dll file on a remote SBM or WebDAV share, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current victim.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

2) Heap-based buffer overflow (CVE-ID: CVE-2017-17557)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow. A remote attacker can abuse certain function calls, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

3) Use-after-free error (CVE-ID: CVE-2017-14458)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to the use of freed object when executing JavaScript or invoking certain functions to get object properties. A remote attacker can trigger use-after-free error and execute arbitrary code.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

4) Memory corruption (CVE-ID: CVE-2018-3842)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can use of uninitialized new Uint32Array object or member variables in PrintParams or m_pCurContex objects, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

5) Memory corruption (CVE-ID: N/A)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to boundary error. A remote attacker can use of uninitialized new Uint32Array object or member variables in PrintParams or m_pCurContex objects, trigger memory corruption and gain access to arbitrary data.

6) Out-of-bounds read (CVE-ID: N/A)

The vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.

The weakness exists due to incorrect memory allocation, memory commit, memory access, or array access. A remote attacker can trigger out-of-bounds read and access arbitrary data or cause service to crash.

7) Out-of-bounds write (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to incorrect memory allocation, memory commit, memory access, or array access. A remote attacker can trigger out-of-bounds write and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

8) Type confusion (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists when executing certain XFA functions in crafted PDF files since the application could transform non-CXFA_Object to CXFA_Object without judging the data type and use the discrepant CXFA_Object to get layout object directly. A remote attacker can trick the victim into opening a specially crafted file, trigger type confusion error and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

9) Use-after-free error (CVE-ID: CVE-2018-3853)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can cause the application to continue to traverse pages after the document has been closed or free certain objects repeatedly, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

10) Use-after-free error (CVE-ID: N/A)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to use-after-free error. A remote attacker can cause the application to continue to traverse pages after the document has been closed or free certain objects repeatedly, trigger memory corruption and access arbitrary data.

11) Information disclosure (CVE-ID: N/A)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to unspecified flaw. A remote attacker can abuse GoToE & GoToR Actions to open or run arbitrary executable applications and access arbitrary data.

12) Remote code execution (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to unspecified flaw. A remote attacker can abuse GoToE & GoToR Actions to open or run arbitrary executable applications and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

13) Out-of-bounds read (CVE-ID: N/A)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to out-of-bounds read when the application is not running in Safe-Reading-Mode. A remote attacker can abuse the _JP2_Codestream_Read_SOT function, trigger memory corruption and access arbitrary data.

14) Use-after-free error (CVE-ID: CVE-2018-3850)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to the use of object which has been closed or removed. A remote attacker can trigger use-after-free error and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

15) Type confusion (CVE-ID: CVE-2018-3843)

The vulnerability allows a remote attacker to obtain potentially sensitive information or execute arbitrary code on the target system.

The weakness exists due to deference of an object of invalid type. A remote attacker can trick the victim into opening a specially crafted file, trigger type confusion error when parsing files with associated file annotation and access arbitrary data or execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

16) Improper input validation (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to improper handling of a COM object. A remote attacker can trick the victim into opening a PDF file in a browser from Microsoft Word and cause the service to crash.

17) Improper input validation (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper input validation. A remote attacker can embed executable files to PDF portfolio from within the application, bypass security restrictions and execute arbitrary application.

Remediation

Install update from vendor's website.

References

• https://www.foxitsoftware.com/support/security-bulletins.php