(+) found uninitialized chunk: 0x100bef90
(6b4.a60): Break instruction exception - code 80000003 (first chance) A minimised poc can be see below that will trigger the vulnerability:īridgit - JavaScript Bridge for Foxit Reader That, unfortunately, is how it rolls sometimes. It was discovered by myself and bit from meepwn, however bit beat me too it reporting it to the ZDI. This vulnerability was assigned CVE-2018-9948 and published as ZDI-18-332 by the ZDI. Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability Many vulnerabilities have been found inside of clientside PDF parsers and the fact that they need to support JavaScript creates an additional attack surface and greatly facilitates exploitation. However, as Adobe is aware, PDF parsing is a complex task and quite often error prone. Introductionįoxit Reader and PhantomPDF Reader are marketed as… TL DR I walk through exploiting a two different bugs chained together to achieve reliable code execution on a Windows 7 & 10 x86 desktop against Foxit Reader 9. The second vulnerability is a use-after-free that I found, killed and leveraged for remote code execution. I leveraged this for an information leak to defeat ASLR. The first vulnerability is an uninitialized buffer that I found independently and was later killed by bit from meepwn.
After discovering over 100 vulnerabilities in Foxit Reader, I figured it was about time I shared a full exploit chain that defeats ASLR and DEP.
0 kommentar(er)
