SB2018072304 - Multiple vulnerabilities in Foxit Reader and Foxit PhantomPDF
Published: July 23, 2018 Updated: July 30, 2018
Security Bulletin ID
SB2018072304
Severity
High
Patch available
YES
Number of vulnerabilities
14
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 secuirty vulnerabilities.
1) Use-after-free error (CVE-ID: CVE-2018-3924)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error when handling malicious input. A remote attacker can trick the victim into opening a specially crafted PDF file, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to use-after-free error when handling malicious input. A remote attacker can trick the victim into opening a specially crafted PDF file, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
2) Use-after-free error (CVE-ID: CVE-2018-3939)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error when handling malicious input. A remote attacker can trick the victim into opening a specially crafted PDF file, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to use-after-free error when handling malicious input. A remote attacker can trick the victim into opening a specially crafted PDF file, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
3) Out-of-bounds memory access (CVE-ID: N/A)
The vulnerability allows a remote attacker to obtain potentially sensitive information or execute arbitrary code on the target system.
The weakness exists when parsing or converting JPG files due to access violation on pointer. A remote attacker can trick the victim into opening a specially crafted JPG file, trigger out-of-bounds read/write and gain access to arbitrary data or execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists when parsing or converting JPG files due to access violation on pointer. A remote attacker can trick the victim into opening a specially crafted JPG file, trigger out-of-bounds read/write and gain access to arbitrary data or execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
4) Type confusion (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion when calling addAdLayer function since the certain object in the function is replaced. A remote attacker can trick the victim into opening a specially crafted PDF file and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to type confusion when calling addAdLayer function since the certain object in the function is replaced. A remote attacker can trick the victim into opening a specially crafted PDF file and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
5) Arbitrary file write (CVE-ID: N/A)
The vulnerability allows a remote attacker to write arbitrary file on the target system.
The weakness exists due to insufficient validation of the file type to be exported. A remote attacker can write arbitrary file when executing exportAsFDF or exportData JavaScript and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to insufficient validation of the file type to be exported. A remote attacker can write arbitrary file when executing exportAsFDF or exportData JavaScript and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
6) Type confusion (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion when executing certain JavaScript functions since the application could transform non-XFA-node to XFA-node and use the discrepant XFA-node directly. A remote attacker can trick the victim into opening a specially crafted PDF file and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to type confusion when executing certain JavaScript functions since the application could transform non-XFA-node to XFA-node and use the discrepant XFA-node directly. A remote attacker can trick the victim into opening a specially crafted PDF file and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
7) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to the array object is transformed and used as dictionary object in the cases where inline image dictionary contains invalid dictionary end symbol and array start symbol. A remote attacker can trick the victim into opening a specially crafted PDF file, release inline image, add new array object and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to the array object is transformed and used as dictionary object in the cases where inline image dictionary contains invalid dictionary end symbol and array start symbol. A remote attacker can trick the victim into opening a specially crafted PDF file, release inline image, add new array object and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
8) Information disclosure (CVE-ID: N/A)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to the application can expose credentials when executing GoToE & GoToR action. A remote attacker can obtain valid user's credentials.
The weakness exists due to the application can expose credentials when executing GoToE & GoToR action. A remote attacker can obtain valid user's credentials.
9) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to heap-based buffer overflow when handling malicious input. A remote attacker can trick the victim into opening a specially crafted PDF file, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to heap-based buffer overflow when handling malicious input. A remote attacker can trick the victim into opening a specially crafted PDF file, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
10) Integer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to heap-based buffer overflow when handling malicious input. A remote attacker can trick the victim into opening a specially crafted PDF file, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to heap-based buffer overflow when handling malicious input. A remote attacker can trick the victim into opening a specially crafted PDF file, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
11) Type confusion (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion when the application parses “ColorSpace” within a PDF. A remote attacker can trick the victim into opening a specially crafted PDF file, replace the ICCBased color space with Pattern color space and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to type confusion when the application parses “ColorSpace” within a PDF. A remote attacker can trick the victim into opening a specially crafted PDF file, replace the ICCBased color space with Pattern color space and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
12) Out-of-bounds read (CVE-ID: N/A)
The vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.
The weakness exists due to improper handling of process when executing GetAssociatedPageIndex function. A remote attacker can obtain trigger out-of-bounds read, gain access to arbitrary data and cause the service to crash.
The weakness exists due to improper handling of process when executing GetAssociatedPageIndex function. A remote attacker can obtain trigger out-of-bounds read, gain access to arbitrary data and cause the service to crash.
13) Buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to buffer overflow when executing var test = new ArrayBuffer(0xfffffffe) JavaScript. A remote attacker can trick the victim into opening a specially crafted PDF file, trigger memory corruption and cause the application to crash.
The weakness exists due to buffer overflow when executing var test = new ArrayBuffer(0xfffffffe) JavaScript. A remote attacker can trick the victim into opening a specially crafted PDF file, trigger memory corruption and cause the application to crash.
14) Use-after-free error (CVE-ID: CVE-2018-14442)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error when handling malicious input. A remote attacker can trick the victim into opening a specially crafted PDF file, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to use-after-free error when handling malicious input. A remote attacker can trick the victim into opening a specially crafted PDF file, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.