Foxit Reader 5.4.3.* - 5.4.5.0124 - PDF XREF Parsing Denial of Service Vulnerability



EKU-ID: 3172 CVE: OSVDB-ID:
Author: FuzzMyApp Published: 2013-04-22 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: Foxit Reader 5.4.3.* - 5.4.5.0124 - PDF (Portable Document Format) XREF (Cross Reference Table) parsing Denial of Service Vulnerability
# Date (found): 2012.11.17
# Date (publish): 2013.04.17
# Exploit Author: FuzzMyApp
# Vendor Homepage: http://www.foxitsoftware.com
# Version: 5.4.3.* - 5.4.5.0124 (till latest)
# Tested on: Windows XP SP3 Professional Edition

Name:PDF Cross Reference Table parsing Denial of Service vulnerability.
Type:DoS
Description:Foxit Reader does not validate data in PDF Cross Reference Table (XREF) header properly. Tampering with XREF header may lead to integer division by zero exception during its parsing by the application. Raised, not handled, exception causes Denial of Service of Foxit Reader. Vendor was notified on 2013.02.21 but has not responded to this submission. This issue is present in the latest version of application avaiable at the time of writing.
Exception:Integer division by zero exception.
Disasm:0055EB70  |> \33C0          |XOR EAX,EAX
0055EB72  |>  8B28          |MOV EBP,DWORD PTR DS:[EAX]
0055EB74  |.  896C24 64     |MOV DWORD PTR SS:[ESP+64],EBP
0055EB78  |.  8D3C2E        |LEA EDI,DWORD PTR DS:[ESI+EBP]
0055EB7B  |.  3BFE          |CMP EDI,ESI
0055EB7D  |.  897C24 20     |MOV DWORD PTR SS:[ESP+20],EDI
0055EB81  |.  0F82 7F020000 |JB Foxit_Re.0055EE06
0055EB87  |.  83C8 FF       |OR EAX,FFFFFFFF
0055EB8A  |.  33D2          |XOR EDX,EDX
0055EB8C  |.  F7F7          |DIV EDI                                 ;  [www.FuzzMyApp.com] Integer division by zero exception
0055EB8E  |.  394424 3C     |CMP DWORD PTR SS:[ESP+3C],EAX
0055EB92  |.  0F83 6E020000 |JNB Foxit_Re.0055EE06

Advisory: http://www.fuzzmyapp.com/advisories/FMA-2012-042/FMA-2012-042-EN.xml

Exploit PoC: http://fuzzmyapp.com/advisories/FMA-2012-042/FMA-2012-042.pdf
             http://www.exploit-db.com/sploits/24962.pdf