Re: [Full-disclosure] Foxit Reader suffers from Division By Zero

[Mario Vilas]

[image: Inline image 1]

On Sat, Sep 29, 2012 at 4:01 AM, kaveh ghaemmaghami 
kavehghaemmagh...@googlemail.com wrote:

 Title:  Foxit Reader suffers from Division By Zero
 Version  :  5.4.3.0920
 Date :  2012-09-28
 Vendor   :  http://www.foxitsoftware.com/
 Impact   :  Med/High
 Contact  :  coolkaveh [at] rocketmail.com
 Twitter  :  @coolkaveh
 tested   :  XP SP3
 #
 Bug :
 
 division by zero vulnerability during the handling of the pdf files.
 that will trigger a denial of service condition

 #
 (b34.f24): Integer divide-by-zero - code c094 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 eax=
 ebx=
 ecx=
 edx=
 esi=
 edi=
 eip=00558c8c
 esp=0012f928
 ebp=
 iopl=0 nv up ei pl zr na pe nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=
 efl=00010246
 *** ERROR: Module load completed but symbols could not be loaded for
 FoxitReader_Lib_Full.exe
 FoxitReader_Lib_Full+0x158c8c:
 00558c8c f7f7div eax,edi
 0:000 r;!exploitable -v;q
 eax=
 ebx=
 ecx=
 edx=
 esi=
 edi=
 eip=00558c8c
 esp=0012f928
 ebp= iopl=0 nv up ei pl zr na pe nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=
 efl=00010246
 FoxitReader_Lib_Full+0x158c8c:
 00558c8c f7f7div eax,edi
 HostMachine\HostUser
 Executing Processor Architecture is x86
 Debuggee is in User Mode
 Debuggee is a live user mode debugging session on the local machine
 Event Type: Exception
 *** ERROR: Symbol file could not be found.  Defaulted to export
 symbols for ntdll.dll -
 Exception Faulting Address: 0x558c8c
 First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC094)

 Faulting Instruction:00558c8c div eax,edi

 Basic Block:
 00558c8c div eax,edi
Tainted Input Operands: ax, dx, eax, edi
 00558c8e cmp dword ptr [esp+3ch],eax
Tainted Input Operands: eax
 00558c92 jae foxitreader_lib_full+0x158f06 (00558f06)
Tainted Input Operands: CarryFlag

 Exception Hash (Major/Minor): 0x6461647c.0x64616453

 Stack Trace:
 FoxitReader_Lib_Full+0x158c8c
 Instruction Address: 0x00558c8c

 Description: Integer Divide By Zero
 Short Description: DivideByZero
 Recommended Bug Title: Integer Divide By Zero starting at
 FoxitReader_Lib_Full+0x00158c8c (Hash=0x6461647c.0x64616453)
 #

 Proof of concept .pdf included.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/




-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Foxit Reader suffers from Division By Zero

[Nick Boyce]

On Sat, Sep 29, 2012 at 8:01 AM, kaveh ghaemmaghami
kavehghaemmagh...@googlemail.com wrote:

 Title:  Foxit Reader suffers from Division By Zero
 Version  :  5.4.3.0920
[...]
 division by zero vulnerability during the handling of the pdf files.
 that will trigger a denial of service condition
[...]
 Proof of concept .pdf included.

Confirmed with V5 Foxit Reader 5.4.3.0920 on WinXP Pro SP3 (though
with a slightly different offset - 0015eb8c ... ASLR ?).

Interestingly, NOT confirmed for Foxit Reader 4.3.1.0323 (the last
version of the V4 Foxit Reader, which is the last version many people
are comfortable with); with this version I get a dialog box stating
format error: not a PDF or corrupted, and no crash.  This is also on
XP Pro SP3.  Another reason to be disappointed with Foxit Reader V5 :)

Cheers
Nick Boyce
-- 
You are in a maze of twisty little relative jumps, all alike.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/