Foxit Reader: Bypassing the Safe Mode sandbox to execute arbitrary code, exfiltrate data (ZDI-16-395)
For opening PDF documents, Foxit Reader is a popular alternative to Adobe Reader. The MSI variant, notable for easy deployment in the enterprise, is typically found on corporate workstations. On consumer systems, it is often bundled with branded retail PCs.
While my machine is not branded, I do prefer using Foxit Reader over Adobe’s. Hence, it was time to subject it to some bug hunting. This turned up an interesting flaw.
It turns out a properly modified PDF can trigger Foxit Reader, without user interaction, to run embedded Flash content outside the
Safe Mode sandbox. Additionally, with some minor adjustments, it can force the underlying Flash Player to run the Flash code itself in the
local-trusted sandbox, further exploitation requires little effort: this sandbox allows unrestricted access to remote servers and the victim’s file system, as well as the ability to load arbitrary Flash code from either locations.
In June 2016, Foxit fixed the vulnerability in Reader 8.0 and its commercially-licensed counterpart PhantomPDF.
Foxit Reader 18.104.22.1681 and earlier Foxit PhantomPDF 22.214.171.1241 and earlier
Windows XP, Vista, 7, 8.x and 10
01-03-2016: Vulnerability reported to Trend Micro Zero Day Initiative. 10-03-2016: ZDI acknowledges the vulnerability and assigns it ZDI-16-395. 26-04-2016: ZDI forwards the vulnerability report to Foxit. 29-06-2016: Foxit fixes the vulnerability in Reader 126.96.36.1994, PhantomPDF 188.8.131.524. 02-01-2017: Vulnerability brief published.
- Foxit Security Bulletins
- SecurityTracker: Foxit Reader Multiple Flaws Let Remote Users Obtain Potentially Sensitive Files and Information, Deny Service, and Execute Arbitrary Code
- SecurityWeek: Foxit Patches RCE Flaws in Reader, PhantomPDF