Security researchers have discovered two critical zero-day vulnerabilities in the popular Foxit Reader application that could be exploited by attackers to execute arbitrary code on a targeted computer, if not configured to open files in the Safe Reading Mode.
The attack scenarios for both vulnerabilities see attackers send a specially crafted PDF file to a Foxit user and tricking him into opening it.
The first zero-day flaw, tracked as CVE-2017-10951, is a command injection vulnerability that was discovered by the expert Ariele Caltabiano from Trend Micro’s Zero Day Initiative (ZDI).
“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” reads the security advisory for the vulnerability.
“The specific flaw exists within app.launchURL method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current process.”
“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” reads the security advisory published by ZDI.
Foxit still hasn’t patch both the vulnerabilities because cannot be triggered if the users have the “safe reading mode” feature enabled, the company highlighted that it is enabled by default in Foxit PDF Reader.
Below the video PoC for both vulnerabilities:
“Steven exploited this vulnerability by embedding an HTA file in the document, then calling saveAS to write it to the startup folder, thus executing arbitrary VBScript code on startup,” reads the advisory published by the ZDI.
(Security Affairs – Foxit PDF Reader. zero-day)