SB2020093001 - Multiple vulnerabilities in Foxit Reader and PhantomPDF
Published: September 30, 2020 Updated: October 7, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 secuirty vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2020-26534)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when using the Opt object after it has been deleted by calling Field::ClearItems method while executing Field::DeleteOptions method. A remote attacker can create a specially crafted PDF file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
2) Out-of-bounds write (CVE-ID: CVE-2020-26535)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input within the V8 JavaScript engine, which is resulted from the failure to properly handle the situation where the Index returned during the allocation of thread local storage by TslAlloc function exceeds the limits acceptable by the V8 JavaScript engine. A remote attacker can create a specially crafted PDF file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
3) NULL pointer dereference (CVE-ID: CVE-2020-26536)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a NULL pointer dereference error when processing PDF files. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger a NULL pointer dereference error and execute arbitrary code on the system.
4) Out-of-bounds write (CVE-ID: CVE-2020-26537)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error within the handling of Shading. A remote attacker can create a specially crafted PDF file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
5) Untrusted search path (CVE-ID: CVE-2020-26538)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists during application installation, as the installer file searches for taskkill.exe in the current working directory. A remote attacker can trick the victim to launch the installer file from a remote SMB share and execute arbitrary code on the system.
6) Stack-based buffer overflow (CVE-ID: CVE-2020-17413)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the handling of U3D objects embedded in PDF files. A remote unauthenticated attacker can create a specially crafted PDF file, trick the victim into opening it, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Use-after-free (CVE-ID: CVE-2020-17417)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the handling of the Annotation objects while processing AcroForm. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
8) Out-of-bounds write (CVE-ID: CVE-2020-17416)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing JPEG2000 images within PDF files. A remote attacker can create a specially crafted PDF file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
9) Incorrect default permissions (CVE-ID: CVE-2020-17415)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for the configuration files used by the Foxit PhantomPDF Update Service. A local user with access to the system can view contents of files and directories or modify them.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code with SYSTEM privileges.
10) Incorrect default permissions (CVE-ID: CVE-2020-17414)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for the configuration files used by the Foxit Reader Update Service. A local user with access to the system can view contents of files and directories or modify them.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code with SYSTEM privileges.
11) Out-of-bounds write (CVE-ID: CVE-2020-17412)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error within the handling of U3D objects embedded in PDF files within U3DBrowser. A remote attacker can create a specially crafted PDF file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
12) Out-of-bounds read (CVE-ID: CVE-2020-17411)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the handling of U3D objects embedded in PDF files in U3DBrowser. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
13) Use-after-free (CVE-ID: CVE-2020-17410)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the parsing of GIF files. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
14) Use-after-free (CVE-ID: N/A)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error while using the /V item, which is deleted after being interpreted as the action executed during validation when it exists in both Additional Action and Field dictionaries but shares different interpretations. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Remediation
Install update from vendor's website.
References
- https://www.foxitsoftware.com/support/security-bulletins.html#10.1
- https://www.zerodayinitiative.com/advisories/ZDI-20-1235/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1234/
- https://www.foxitsoftware.com/support/security-bulletins.html
- https://www.zerodayinitiative.com/advisories/ZDI-20-1233/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1232/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1231/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1230/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1229/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1228/