[image: Inline image 1]
On Sat, Sep 29, 2012 at 4:01 AM, kaveh ghaemmaghami
kavehghaemmagh...@googlemail.com wrote:
Title: Foxit Reader suffers from Division By Zero
Version : 5.4.3.0920
Date : 2012-09-28
Vendor : http://www.foxitsoftware.com/
Impact : Med/High
Contact : coolkaveh [at] rocketmail.com
Twitter : @coolkaveh
tested : XP SP3
#
Bug :
division by zero vulnerability during the handling of the pdf files.
that will trigger a denial of service condition
#
(b34.f24): Integer divide-by-zero - code c094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=
ebx=
ecx=
edx=
esi=
edi=
eip=00558c8c
esp=0012f928
ebp=
iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=
efl=00010246
*** ERROR: Module load completed but symbols could not be loaded for
FoxitReader_Lib_Full.exe
FoxitReader_Lib_Full+0x158c8c:
00558c8c f7f7div eax,edi
0:000 r;!exploitable -v;q
eax=
ebx=
ecx=
edx=
esi=
edi=
eip=00558c8c
esp=0012f928
ebp= iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=
efl=00010246
FoxitReader_Lib_Full+0x158c8c:
00558c8c f7f7div eax,edi
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for ntdll.dll -
Exception Faulting Address: 0x558c8c
First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC094)
Faulting Instruction:00558c8c div eax,edi
Basic Block:
00558c8c div eax,edi
Tainted Input Operands: ax, dx, eax, edi
00558c8e cmp dword ptr [esp+3ch],eax
Tainted Input Operands: eax
00558c92 jae foxitreader_lib_full+0x158f06 (00558f06)
Tainted Input Operands: CarryFlag
Exception Hash (Major/Minor): 0x6461647c.0x64616453
Stack Trace:
FoxitReader_Lib_Full+0x158c8c
Instruction Address: 0x00558c8c
Description: Integer Divide By Zero
Short Description: DivideByZero
Recommended Bug Title: Integer Divide By Zero starting at
FoxitReader_Lib_Full+0x00158c8c (Hash=0x6461647c.0x64616453)
#
Proof of concept .pdf included.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/