[German]A remote code execution vulnerability exists in the two PDF programs Foxit PDF Reader and PhantomPDF. However, the vendor has already released updates to close the critical vulnerability – I had pointed this out. Now some more details have become known.
I became aware of this issue a few hours ago via the following tweet from the Kaspersky people.
Use FoxIT or Phantom PDF reader? You might want to take note https://t.co/XcWkMfEOwa
— Kaspersky (@kaspersky) April 21, 2020
Already on April 13, 2020 I had reported in the blog post Security update Foxit Reader 9.7.2 about a security update for the Foxit Reader and the Foxit PhantomPDF that closes an RCE vulnerability. The update was withdrawn and later re-released. Details about vulnerabilities in various products can be found in the Foxit Security Bulletin. Here is a short overview of the vulnerabilities in Foxit Reader and PhantomPDF.
Vulnerabilities in Foxit Reader
ThreadPost has revealed more details in this article. To exploit the RCE vulnerability in Foxit Reader, the attacker must trick the victim into actively opening a malicious PDF file. Several vulnerabilities can be exploited. There are two vulnerabilities (CVE-2020-10899, CVE-2020-10907) in the processing of XFA templates. These are templates embedded in PDF files that allow fillable fields. The vulnerabilities result from the lack of validation of the existence of an object before performing operations on that object. An attacker could exploit both flaws to execute code in the context of the current process.
Security researchers have also discovered another RCE bug (CVE-2020-10900). This results from the way AcroForms are processed. AcroForms are PDF files that contain form fields. The error exists because AcroForms do not validate the existence of an object before performing operations on that object.
The vulnerabilities are fixed in Foxit Reader version 9.7.2. This version also fixes the vulnerability CVE-2020-10906 in the resetForm method within Foxit Reader PDFs. The issue is that before performing operations on an object, there is no check for an object, which opens the process for an RCE attack.
PhantomPDF
PhantomPDF also has several serious bugs in versions 9.7.1.29511 and earlier. Users are strongly recommended to upgrade to PhantomPDF version 9.7.2. Dustin Childs of Trend Micro's Zero Day Initiative (ZDI) states that the most serious of these are two bugs (CVE-2020-10890 und CVE-2020-10892) in PhantomPDF API communication. PhantomPDF API calls are required to create PDFs from other document types.
These flaws result from the handling of the ConvertToPDF command and the CombineFiles command, which allow arbitrary writing of files with data controlled by attackers. "CVE-2020-10890 and CVE-2020-10892 are characterized by their relative ease of exploitation," Childs told Threatpost. "They are very straightforward and do not require attack techniques such as massage or heap spraying to be successful," he told Threatpost.
Two other critical vulnerabilities (CVE-2020-10912, CVE-2020-10912) esult from the handling of the SetFieldValue command in API calls. The lack of proper validation of user-entered data for these commands results in a type confusion condition – and ultimately in arbitrary code execution. All of the above serious flaws allow an attacker to execute code in the context of the current process, but require user interaction that requires the victim to visit a malicious page or open a malicious file.