Foxit PDF Reader GoToR Action Stack Buffer Overflow


Foxit Reader is a PDF reader that can create, edit, sign and print PDF files. A stack buffer overflow vulnerability exists in Foxit Reader. The vulnerability occurs due to improper handling of an overly large action link. A remote attacker can exploit this vulnerability by alluring the victim to opening a specially crafted PDF document and clicking on the action link. Succesful exploitation can lead to execution under the privileges of the the victim user. An unsuccessful explotation would lead to hang or termination of the Foxit Reader application.

Specifically, actions are used for navigation. There are two types of actions: implicit and explicit. Explicit action occurs when the user interacts with any kind of an object. Foxit implements these actions with 4 different types: GoTo, GoToR, Launch and URI. The vulnerability exists in the GoToR action. The GoToR action navigates to an external PDF file that might be stored on the local disk. The vulnerability occurs when the user click on a GoToR action link which causes creation of large filename. This name is copied in to a UTF-16 encoded string which is then stored in to 522byte buffer. The copy process does not validate the size of the source string. When a large string is supplied to GoToR action, it results in to overwriting the buffer and thus causing a stack buffer overflow.

Dell Sonicwall team has written following signature to protect our customers from attacks against this vulnerability:

  • 11764: Foxit Reader Stack Buffer Overflow

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.