about    blog     feed    archive

Foxit Reader: Bypassing the Safe Mode sandbox to execute arbitrary code, exfiltrate data (ZDI-16-395)

Jan 2, 2017

For opening PDF documents, Foxit Reader is a popular alternative to Adobe Reader. The MSI variant, notable for easy deployment in the enterprise, is typically found on corporate workstations. On consumer systems, it is often bundled with branded retail PCs.

While my machine is not branded, I do prefer using Foxit Reader over Adobe’s. Hence, it was time to subject it to some bug hunting. This turned up an interesting flaw.

PDF documents can embed JavaScript and Flash. To prevent the document from executing embedded code without user consent, Foxit Reader opens it in the context of a sandbox dubbed Safe Mode.

It turns out a properly modified PDF can trigger Foxit Reader, without user interaction, to run embedded Flash content outside the Safe Mode sandbox. Additionally, with some minor adjustments, it can force the underlying Flash Player to run the Flash code itself in the local-trusted sandbox.

From the local-trusted sandbox, further exploitation requires little effort: this sandbox allows unrestricted access to remote servers and the victim’s file system, as well as the ability to load arbitrary Flash code from either locations.

In June 2016, Foxit fixed the vulnerability in Reader 8.0 and its commercially-licensed counterpart PhantomPDF.

Overview

Affected products
Foxit Reader 7.3.4.311 and earlier
Foxit PhantomPDF 7.3.4.311 and earlier
Affected platforms
Windows XP, Vista, 7, 8.x and 10
Timeline
01-03-2016: Vulnerability reported to Trend Micro Zero Day Initiative.
10-03-2016: ZDI acknowledges the vulnerability and assigns it ZDI-16-395.
26-04-2016: ZDI forwards the vulnerability report to Foxit.
29-06-2016: Foxit fixes the vulnerability in Reader 8.0.0.624, PhantomPDF 8.0.0.624.
02-01-2017: Vulnerability brief published.
Tags: vulnerability research  foxit reader  phantompdf