Two Foxit Reader RCE zero-day vulnerabilities disclosed

Trend Micro’s Zero Day Initiative has released details about two remote code execution zero-day flaws affecting popular freemium PDF tool Foxit Reader.

Foxit Reader RCE zero-day

The first one (CVE-2017-10951) is a command injection flaw that exists within the app.launchURL method, and arises because the method accepts more than just URLs as arguments. It does not filter file extensions, and therefore can be nade to launch executables. It was discovered by Ariele Caltabiano.

The second one (CVE-2017-10952) is a arbitrary file write flaw that exists within the saveAs JavaScript function. “SaveAs does not properly check the path it is given to write to,” ZDI security researcher Abdul-Aziz Hariri explained. It also does not check the file extension.

Steven Seeley, the researcher who flagged the flaw, “exploited this vulnerability by embedding an HTA file in the document, then calling saveAS to write it to the startup folder, thus executing arbitrary vbscript code on startup.”

Both vulnerabilities require user interaction to be exploited, e.g. the target must visit a malicious page or open a malicious file.

Also, both vulnerabilities can be exploited only if the application’s Safe Reading Mode is disabled.

Foxit Software were appraised of the discovery, but said they would not implement additional protection against exploitation.

“Foxit Reader & PhantomPDF has a Safe Reading Mode which is enabled by default to control the running of JavaScript, which can effectively guard against potential vulnerabilities from unauthorized JavaScript actions,” they commented.

“Users of Foxit’s Reader and PhantomPDF should ensure they have Safe Reading Mode and hope attackers don’t discover a way to disable it,” Hariri noted. “Additionally, you can uncheck the ‘Enable JavaScript Actions’ from Foxit’s Preferences menu, although this may break some functionality.”

Another good way to minimize the risk is to open only PDF files provided by a source you can trust (whether it’s a sender or a website).

UPDATE: Foxit Software got in touch and pointed out that their track record is strong in responding quickly in fixing vulnerabilities.

“We are currently working to rapidly address the two vulnerabilities reported on the Zero Day Initiative blog and will quickly deliver software improvements. In the meantime, users can help protect themselves by using the Safe Reading Mode,” they explained.

“We apologize for our initial miscommunication when contacted about these vulnerabilities and are making changes to our procedures to mitigate the probability of it occurring again.”