Foxit Reader is "a free PDF document viewer and printer, with incredible small size (only 2.1 M download size), breezing-fast launch speed and rich feature set. Foxit Reader supports Windows 98/Me/2000/XP/2003/Vista". Two security vulnerability in Foxit Reader allow a remote attacker armed with a malformed PDF file to cause the reader to crash and execute arbitrary code.
Malformed PDF XObject Value
The vulnerability occurs when a page with a malformed /XObject resource is rotated (it works if we add the /Rotate field to the page too).
Malformed PDF ExtGState Value
The vulnerability occurs when a malformed /ExtGState resource is parsed. In this case the ExtGState resource was supplanted with a /Font resource, but the type of the resource continued being ExtGState:
Under these conditions it seems Foxit allocates differents structures waiting to complete that memory with the content of the /ExtGState resource. Howerver when it finds fields associated with a /Font resource, it tries to parse them anyway, and it completes the memory for that structures with incorrect data. This situation occurs because some functions (mainly the one located at address 0x4d1ed0) are common functions to parse any type of field for any type of resource. So, when some fields of a /Font dictionary are found under a /ExtGState resource, the fields are read and interpreted, and the allocated structures are filled with incorrect data.
This facts cause different errors in the execution. For example, this code:
The instruction mov eax,[ecx+8]. Ecx+8 should contain a valid pointer, but the content of that memory is the value of the first name of the dictionary of the object 23 0 obj. We can control this value so we can control [ecx+8], for example.
Modifying this dictionary name with different values we find crashes and invalid access at different EIP. For example with names with length under 8, it uses the last bytes of the name as a pointer at EIP = 0x4A6EE7. With larger names it completes the structure in a different way and the behaviour is different.
The code involved in this vulnerability is complex, lot of FPU and mathematical operations, etc... It is difficult to find correct values to exploit the vulnerability, however i think it is possible to exploit it by choosing some appropiated values for the input dictionaries and using heap spraying to facilitate the shellcode execution (heap spraying could be possible using javascript embedded into the own pdf file. The supplied pdf file uses javascript with some /Annots events so we can do heap spraying before the crash occured).
