[image: Inline image 1] On Sat, Sep 29, 2012 at 4:01 AM, kaveh ghaemmaghami < kavehghaemmagh...@googlemail.com> wrote:
> Title : Foxit Reader suffers from Division By Zero > Version : 5.4.3.0920 > Date : 2012-09-28 > Vendor : http://www.foxitsoftware.com/ > Impact : Med/High > Contact : coolkaveh [at] rocketmail.com > Twitter : @coolkaveh > tested : XP SP3 > ##################################################################### > Bug : > ---- > division by zero vulnerability during the handling of the pdf files. > that will trigger a denial of service condition > > ##################################################################### > (b34.f24): Integer divide-by-zero - code c0000094 (first chance) > First chance exceptions are reported before any exception handling. > This exception may be expected and handled. > eax=ffffffff > ebx=00000000 > ecx=00000000 > edx=00000000 > esi=00000000 > edi=00000000 > eip=00558c8c > esp=0012f928 > ebp=00000000 > iopl=0 nv up ei pl zr na pe nc > cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 > efl=00010246 > *** ERROR: Module load completed but symbols could not be loaded for > FoxitReader_Lib_Full.exe > FoxitReader_Lib_Full+0x158c8c: > 00558c8c f7f7 div eax,edi > 0:000> r;!exploitable -v;q > eax=ffffffff > ebx=00000000 > ecx=00000000 > edx=00000000 > esi=00000000 > edi=00000000 > eip=00558c8c > esp=0012f928 > ebp=00000000 iopl=0 nv up ei pl zr na pe nc > cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 > efl=00010246 > FoxitReader_Lib_Full+0x158c8c: > 00558c8c f7f7 div eax,edi > HostMachine\HostUser > Executing Processor Architecture is x86 > Debuggee is in User Mode > Debuggee is a live user mode debugging session on the local machine > Event Type: Exception > *** ERROR: Symbol file could not be found. Defaulted to export > symbols for ntdll.dll - > Exception Faulting Address: 0x558c8c > First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC0000094) > > Faulting Instruction:00558c8c div eax,edi > > Basic Block: > 00558c8c div eax,edi > Tainted Input Operands: ax, dx, eax, edi > 00558c8e cmp dword ptr [esp+3ch],eax > Tainted Input Operands: eax > 00558c92 jae foxitreader_lib_full+0x158f06 (00558f06) > Tainted Input Operands: CarryFlag > > Exception Hash (Major/Minor): 0x6461647c.0x64616453 > > Stack Trace: > FoxitReader_Lib_Full+0x158c8c > Instruction Address: 0x0000000000558c8c > > Description: Integer Divide By Zero > Short Description: DivideByZero > Recommended Bug Title: Integer Divide By Zero starting at > FoxitReader_Lib_Full+0x0000000000158c8c (Hash=0x6461647c.0x64616453) > ##################################################################### > > Proof of concept .pdf included. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/