snakeO2 Posted April 21, 2013 Report Posted April 21, 2013 # Exploit Title: Foxit Reader 5.4.3.* - 5.4.5.0124 - PDF (Portable Document Format) XREF (Cross Reference Table) parsing Denial of Service Vulnerability# Date (found): 2012.11.17# Date (publish): 2013.04.17# Exploit Author: FuzzMyApp# Vendor Homepage: PDF Converter PDF Editor Edit and Convert PDF, Word files to PDF, Free PDF convert, save PDF forms, create PDF forms, pdf documents, protect pdf# Version: 5.4.3.* - 5.4.5.0124 (till latest)# Tested on: Windows XP SP3 Professional EditionName:PDF Cross Reference Table parsing Denial of Service vulnerability.Type:DoSDescription:Foxit Reader does not validate data in PDF Cross Reference Table (XREF) header properly. Tampering with XREF header may lead to integer division by zero exception during its parsing by the application. Raised, not handled, exception causes Denial of Service of Foxit Reader. Vendor was notified on 2013.02.21 but has not responded to this submission. This issue is present in the latest version of application avaiable at the time of writing.Exception:Integer division by zero exception.Disasm:0055EB70 |> \33C0 |XOR EAX,EAX0055EB72 |> 8B28 |MOV EBP,DWORD PTR DS:[EAX]0055EB74 |. 896C24 64 |MOV DWORD PTR SS:[ESP+64],EBP0055EB78 |. 8D3C2E |LEA EDI,DWORD PTR DS:[ESI+EBP]0055EB7B |. 3BFE |CMP EDI,ESI0055EB7D |. 897C24 20 |MOV DWORD PTR SS:[ESP+20],EDI0055EB81 |. 0F82 7F020000 |JB Foxit_Re.0055EE060055EB87 |. 83C8 FF |OR EAX,FFFFFFFF0055EB8A |. 33D2 |XOR EDX,EDX0055EB8C |. F7F7 |DIV EDI ; [www.FuzzMyApp.com] Integer division by zero exception0055EB8E |. 394424 3C |CMP DWORD PTR SS:[ESP+3C],EAX0055EB92 |. 0F83 6E020000 |JNB Foxit_Re.0055EE06Advisory: Foxit Reader 5.4.3.* - 5.4.5.0124 - PDF (Portable Document Format) XREF (Cross Reference Table) parsing Denial of Service VulnerabilityExploit PoC: http://fuzzmyapp.com/advisories/FMA-2012-042/FMA-2012-042.pdf http://www.exploit-db.com/sploits/24962.pdfSursa: Foxit Reader 5.4.3.* - 5.4.5.0124 - PDF XREF Parsing Denial of Service Vulnerability Quote
