CVE-2018-20249
Information
In Foxit Quick PDF Library (all versions prior to 16.12), issue where loading a malformed or malicious PDF containing invalid xref entries using the DAOpenFile or DAOpenFileReadOnly functions may result in an access violation caused by out of bounds memory access.
Crash Dump:
Registers
eax = 0xA9924E0 xmm0 = 0x0
ebx = 0x1 xmm1 = 0x0
ecx = 0xA999B40 xmm2 = 0x0
edx = 0x1 xmm3 = 0x0
esi = 0xA9924E0 xmm4 = 0x0
edi = 0xA974520 xmm5 = 0x0
esp = 0x893000 xmm6 = 0x3D004D004D0070006D0078003A0073
ebp = 0x893024 xmm7 = 0x2F002F003A00700074007400680022
Disassembly of stack frame 3 at DebenuPDFLibraryDLL1611.dll + 0x28E74B
0a31e66e e87d4fe0ff call DebenuPDFLibraryDLL1611+0x935f0 (0a1235f0)
0a31e673 8bf8 mov edi,eax
0a31e675 8bc7 mov eax,edi
0a31e677 8b1588be110a mov edx,dword ptr [DebenuPDFLibraryDLL1611+0x8be88 (0a11be88)]
0a31e67d e82e72d7ff call DebenuPDFLibraryDLL1611+0x58b0 (0a0958b0)
0a31e682 84c0 test al,al
0a31e684 0f8407010000 je DebenuPDFLibraryDLL1611+0x28e791 (0a31e791)
0a31e68a 8d55fc lea edx,[ebp-4]
0a31e68d 8bc7 mov eax,edi
0a31e68f e80c02e0ff call DebenuPDFLibraryDLL1611+0x8e8a0 (0a11e8a0)
0a31e694 837dfc00 cmp dword ptr [ebp-4],0
0a31e698 751f jne DebenuPDFLibraryDLL1611+0x28e6b9 (0a31e6b9)
0a31e69a 33c9 xor ecx,ecx
0a31e69c ba5ce9310a mov edx,offset DebenuPDFLibraryDLL1611+0x28e95c (0a31e95c)
0a31e6a1 8bc7 mov eax,edi
0a31e6a3 e8e4fedfff call DebenuPDFLibraryDLL1611+0x8e58c (0a11e58c)
0a31e6a8 85c0 test eax,eax
0a31e6aa 740d je DebenuPDFLibraryDLL1611+0x28e6b9 (0a31e6b9)
0a31e6ac 8d45fc lea eax,[ebp-4]
0a31e6af ba70e9310a mov edx,offset DebenuPDFLibraryDLL1611+0x28e970 (0a31e970)
0a31e6b4 e81791d7ff call DebenuPDFLibraryDLL1611+0x77d0 (0a0977d0)
0a31e6b9 8b45fc mov eax,dword ptr [ebp-4]
0a31e6bc ba70e9310a mov edx,offset DebenuPDFLibraryDLL1611+0x28e970 (0a31e970)
0a31e6c1 e84a96d7ff call DebenuPDFLibraryDLL1611+0x7d10 (0a097d10)
0a31e6c6 0f8592000000 jne DebenuPDFLibraryDLL1611+0x28e75e (0a31e75e)
0a31e6cc b101 mov cl,1
0a31e6ce ba84e9310a mov edx,offset DebenuPDFLibraryDLL1611+0x28e984 (0a31e984)
0a31e6d3 8bc7 mov eax,edi
0a31e6d5 e8b2fedfff call DebenuPDFLibraryDLL1611+0x8e58c (0a11e58c)
0a31e6da 8945f0 mov dword ptr [ebp-10h],eax
0a31e6dd 8b45f0 mov eax,dword ptr [ebp-10h]
0a31e6e0 8b1588c7110a mov edx,dword ptr [DebenuPDFLibraryDLL1611+0x8c788 (0a11c788)]
0a31e6e6 e8c571d7ff call DebenuPDFLibraryDLL1611+0x58b0 (0a0958b0)
0a31e6eb 84c0 test al,al
0a31e6ed 740a je DebenuPDFLibraryDLL1611+0x28e6f9 (0a31e6f9)
0a31e6ef 8b45f0 mov eax,dword ptr [ebp-10h]
0a31e6f2 e8a133e0ff call DebenuPDFLibraryDLL1611+0x91a98 (0a121a98)
0a31e6f7 eb02 jmp DebenuPDFLibraryDLL1611+0x28e6fb (0a31e6fb)
0a31e6f9 33c0 xor eax,eax
0a31e6fb 8b5508 mov edx,dword ptr [ebp+8]
0a31e6fe 8b52f8 mov edx,dword ptr [edx-8]
0a31e701 8b4df8 mov ecx,dword ptr [ebp-8]
0a31e704 8b09 mov ecx,dword ptr [ecx]
0a31e706 03c8 add ecx,eax
0a31e708 3bd1 cmp edx,ecx
0a31e70a 7f48 jg DebenuPDFLibraryDLL1611+0x28e754 (0a31e754)
0a31e70c b101 mov cl,1
0a31e70e ba5ce9310a mov edx,offset DebenuPDFLibraryDLL1611+0x28e95c (0a31e95c)
0a31e713 8bc7 mov eax,edi
0a31e715 e872fedfff call DebenuPDFLibraryDLL1611+0x8e58c (0a11e58c)
0a31e71a 8945ec mov dword ptr [ebp-14h],eax
0a31e71d 8b45ec mov eax,dword ptr [ebp-14h]
0a31e720 8b1540cc110a mov edx,dword ptr [DebenuPDFLibraryDLL1611+0x8cc40 (0a11cc40)]
0a31e726 e88571d7ff call DebenuPDFLibraryDLL1611+0x58b0 (0a0958b0)
0a31e72b 84c0 test al,al
0a31e72d 0f84ec010000 je DebenuPDFLibraryDLL1611+0x28e91f (0a31e91f)
0a31e733 8b4508 mov eax,dword ptr [ebp+8]
0a31e736 8b40fc mov eax,dword ptr [eax-4]
0a31e739 897838 mov dword ptr [eax+38h],edi
0a31e73c 8b4508 mov eax,dword ptr [ebp+8]
0a31e73f 50 push eax
0a31e740 8b55f8 mov edx,dword ptr [ebp-8]
0a31e743 8b45ec mov eax,dword ptr [ebp-14h]
0a31e746 e87dfeffff call DebenuPDFLibraryDLL1611+0x28e5c8 (0a31e5c8) // call
0a31e74b 59 pop ecx // return address
0a31e74c 8945f4 mov dword ptr [ebp-0Ch],eax
0a31e74f e9d5010000 jmp DebenuPDFLibraryDLL1611+0x28e929 (0a31e929)
0a31e754 8b55f8 mov edx,dword ptr [ebp-8]
0a31e757 0102 add dword ptr [edx],eax
0a31e759 e9c1010000 jmp DebenuPDFLibraryDLL1611+0x28e91f (0a31e91f)
0a31e75e 8b45fc mov eax,dword ptr [ebp-4]
0a31e761 ba98e9310a mov edx,offset DebenuPDFLibraryDLL1611+0x28e998 (0a31e998)
0a31e766 e8a595d7ff call DebenuPDFLibraryDLL1611+0x7d10 (0a097d10)
0a31e76b 0f85ae010000 jne DebenuPDFLibraryDLL1611+0x28e91f (0a31e91f)
0a31e771 8b45f8 mov eax,dword ptr [ebp-8]
0a31e774 8b00 mov eax,dword ptr [eax]
0a31e776 40 inc eax
0a31e777 8b5508 mov edx,dword ptr [ebp+8]
0a31e77a 3b42f8 cmp eax,dword ptr [edx-8]
0a31e77d 7508 jne DebenuPDFLibraryDLL1611+0x28e787 (0a31e787)
0a31e77f 897df4 mov dword ptr [ebp-0Ch],edi
0a31e782 e9a2010000 jmp DebenuPDFLibraryDLL1611+0x28e929 (0a31e929)
0a31e787 8b45f8 mov eax,dword ptr [ebp-8]
0a31e78a ff00 inc dword ptr [eax]
0a31e78c e98e010000 jmp DebenuPDFLibraryDLL1611+0x28e91f (0a31e91f)
0a31e791 8b4508 mov eax,dword ptr [ebp+8]
0a31e794 8b40fc mov eax,dword ptr [eax-4]
0a31e797 8b402c mov eax,dword ptr [eax+2Ch]
0a31e79a e83113e0ff call DebenuPDFLibraryDLL1611+0x8fad0 (0a11fad0)
0a31e79f 8945f4 mov dword ptr [ebp-0Ch],eax
0a31e7a2 8b4508 mov eax,dword ptr [ebp+8]
0a31e7a5 8b40fc mov eax,dword ptr [eax-4]
0a31e7a8 8b402c mov eax,dword ptr [eax+2Ch]
0a31e7ab ba98e9310a mov edx,offset DebenuPDFLibraryDLL1611+0x28e998 (0a31e998)
0a31e7b0 e8df15e0ff call DebenuPDFLibraryDLL1611+0x8fd94 (0a11fd94)
0a31e7b5 8bc8 mov ecx,eax
0a31e7b7 baace9310a mov edx,offset DebenuPDFLibraryDLL1611+0x28e9ac (0a31e9ac)
0a31e7bc 8b45f4 mov eax,dword ptr [ebp-0Ch]
0a31e7bf e8f4fadfff call DebenuPDFLibraryDLL1611+0x8e2b8 (0a11e2b8)
0a31e7c4 8b4508 mov eax,dword ptr [ebp+8]
0a31e7c7 8b40fc mov eax,dword ptr [eax-4]
0a31e7ca 8b7838 mov edi,dword ptr [eax+38h]
0a31e7cd 8b4f10 mov ecx,dword ptr [edi+10h]
0a31e7d0 8b570c mov edx,dword ptr [edi+0Ch]
0a31e7d3 8b4508 mov eax,dword ptr [ebp+8]
0a31e7d6 8b40fc mov eax,dword ptr [eax-4]
0a31e7d9 8b402c mov eax,dword ptr [eax+2Ch]
0a31e7dc e8cf10e0ff call DebenuPDFLibraryDLL1611+0x8f8b0 (0a11f8b0)
0a31e7e1 8bc8 mov ecx,eax
0a31e7e3 bac0e9310a mov edx,offset DebenuPDFLibraryDLL1611+0x28e9c0 (0a31e9c0)
0a31e7e8 8b45f4 mov eax,dword ptr [ebp-0Ch]
0a31e7eb e8c8fadfff call DebenuPDFLibraryDLL1611+0x8e2b8 (0a11e2b8)
0a31e7f0 8b4508 mov eax,dword ptr [ebp+8]
0a31e7f3 8b40fc mov eax,dword ptr [eax-4]
PoC
Attached
Attachments:
Recursive_id_000105_00.pdf
References:
https://www.foxitsoftware.com/support/security-bulletins.php