CPR-Zero: CVE-2018-20249

Information

In Foxit Quick PDF Library (all versions prior to 16.12), issue where loading a malformed or malicious PDF containing invalid xref entries using the DAOpenFile or DAOpenFileReadOnly functions may result in an access violation caused by out of bounds memory access.

Crash Dump:

Registers

eax   =  0xA9924E0	xmm0  =                                0x0
ebx   =        0x1	xmm1  =                                0x0
ecx   =  0xA999B40	xmm2  =                                0x0
edx   =        0x1	xmm3  =                                0x0
esi   =  0xA9924E0	xmm4  =                                0x0
edi   =  0xA974520	xmm5  =                                0x0
esp   =   0x893000	xmm6  =   0x3D004D004D0070006D0078003A0073
ebp   =   0x893024	xmm7  =   0x2F002F003A00700074007400680022

Disassembly of stack frame 3 at DebenuPDFLibraryDLL1611.dll + 0x28E74B

0a31e66e 	e87d4fe0ff	call DebenuPDFLibraryDLL1611+0x935f0 (0a1235f0)
0a31e673 	8bf8	mov edi,eax
0a31e675 	8bc7	mov eax,edi
0a31e677 	8b1588be110a	mov edx,dword ptr [DebenuPDFLibraryDLL1611+0x8be88 (0a11be88)]
0a31e67d 	e82e72d7ff	call DebenuPDFLibraryDLL1611+0x58b0 (0a0958b0)
0a31e682 	84c0	test al,al
0a31e684 	0f8407010000	je DebenuPDFLibraryDLL1611+0x28e791 (0a31e791)
0a31e68a 	8d55fc	lea edx,[ebp-4]
0a31e68d 	8bc7	mov eax,edi
0a31e68f 	e80c02e0ff	call DebenuPDFLibraryDLL1611+0x8e8a0 (0a11e8a0)
0a31e694 	837dfc00	cmp dword ptr [ebp-4],0
0a31e698 	751f	jne DebenuPDFLibraryDLL1611+0x28e6b9 (0a31e6b9)
0a31e69a 	33c9	xor ecx,ecx
0a31e69c 	ba5ce9310a	mov edx,offset DebenuPDFLibraryDLL1611+0x28e95c (0a31e95c)
0a31e6a1 	8bc7	mov eax,edi
0a31e6a3 	e8e4fedfff	call DebenuPDFLibraryDLL1611+0x8e58c (0a11e58c)
0a31e6a8 	85c0	test eax,eax
0a31e6aa 	740d	je DebenuPDFLibraryDLL1611+0x28e6b9 (0a31e6b9)
0a31e6ac 	8d45fc	lea eax,[ebp-4]
0a31e6af 	ba70e9310a	mov edx,offset DebenuPDFLibraryDLL1611+0x28e970 (0a31e970)
0a31e6b4 	e81791d7ff	call DebenuPDFLibraryDLL1611+0x77d0 (0a0977d0)
0a31e6b9 	8b45fc	mov eax,dword ptr [ebp-4]
0a31e6bc 	ba70e9310a	mov edx,offset DebenuPDFLibraryDLL1611+0x28e970 (0a31e970)
0a31e6c1 	e84a96d7ff	call DebenuPDFLibraryDLL1611+0x7d10 (0a097d10)
0a31e6c6 	0f8592000000	jne DebenuPDFLibraryDLL1611+0x28e75e (0a31e75e)
0a31e6cc 	b101	mov cl,1
0a31e6ce 	ba84e9310a	mov edx,offset DebenuPDFLibraryDLL1611+0x28e984 (0a31e984)
0a31e6d3 	8bc7	mov eax,edi
0a31e6d5 	e8b2fedfff	call DebenuPDFLibraryDLL1611+0x8e58c (0a11e58c)
0a31e6da 	8945f0	mov dword ptr [ebp-10h],eax
0a31e6dd 	8b45f0	mov eax,dword ptr [ebp-10h]
0a31e6e0 	8b1588c7110a	mov edx,dword ptr [DebenuPDFLibraryDLL1611+0x8c788 (0a11c788)]
0a31e6e6 	e8c571d7ff	call DebenuPDFLibraryDLL1611+0x58b0 (0a0958b0)
0a31e6eb 	84c0	test al,al
0a31e6ed 	740a	je DebenuPDFLibraryDLL1611+0x28e6f9 (0a31e6f9)
0a31e6ef 	8b45f0	mov eax,dword ptr [ebp-10h]
0a31e6f2 	e8a133e0ff	call DebenuPDFLibraryDLL1611+0x91a98 (0a121a98)
0a31e6f7 	eb02	jmp DebenuPDFLibraryDLL1611+0x28e6fb (0a31e6fb)
0a31e6f9 	33c0	xor eax,eax
0a31e6fb 	8b5508	mov edx,dword ptr [ebp+8]
0a31e6fe 	8b52f8	mov edx,dword ptr [edx-8]
0a31e701 	8b4df8	mov ecx,dword ptr [ebp-8]
0a31e704 	8b09	mov ecx,dword ptr [ecx]
0a31e706 	03c8	add ecx,eax
0a31e708 	3bd1	cmp edx,ecx
0a31e70a 	7f48	jg DebenuPDFLibraryDLL1611+0x28e754 (0a31e754)
0a31e70c 	b101	mov cl,1
0a31e70e 	ba5ce9310a	mov edx,offset DebenuPDFLibraryDLL1611+0x28e95c (0a31e95c)
0a31e713 	8bc7	mov eax,edi
0a31e715 	e872fedfff	call DebenuPDFLibraryDLL1611+0x8e58c (0a11e58c)
0a31e71a 	8945ec	mov dword ptr [ebp-14h],eax
0a31e71d 	8b45ec	mov eax,dword ptr [ebp-14h]
0a31e720 	8b1540cc110a	mov edx,dword ptr [DebenuPDFLibraryDLL1611+0x8cc40 (0a11cc40)]
0a31e726 	e88571d7ff	call DebenuPDFLibraryDLL1611+0x58b0 (0a0958b0)
0a31e72b 	84c0	test al,al
0a31e72d 	0f84ec010000	je DebenuPDFLibraryDLL1611+0x28e91f (0a31e91f)
0a31e733 	8b4508	mov eax,dword ptr [ebp+8]
0a31e736 	8b40fc	mov eax,dword ptr [eax-4]
0a31e739 	897838	mov dword ptr [eax+38h],edi
0a31e73c 	8b4508	mov eax,dword ptr [ebp+8]
0a31e73f 	50	push eax
0a31e740 	8b55f8	mov edx,dword ptr [ebp-8]
0a31e743 	8b45ec	mov eax,dword ptr [ebp-14h]
0a31e746 	e87dfeffff	call DebenuPDFLibraryDLL1611+0x28e5c8 (0a31e5c8) // call
0a31e74b 	59	pop ecx // return address
0a31e74c 	8945f4	mov dword ptr [ebp-0Ch],eax
0a31e74f 	e9d5010000	jmp DebenuPDFLibraryDLL1611+0x28e929 (0a31e929)
0a31e754 	8b55f8	mov edx,dword ptr [ebp-8]
0a31e757 	0102	add dword ptr [edx],eax
0a31e759 	e9c1010000	jmp DebenuPDFLibraryDLL1611+0x28e91f (0a31e91f)
0a31e75e 	8b45fc	mov eax,dword ptr [ebp-4]
0a31e761 	ba98e9310a	mov edx,offset DebenuPDFLibraryDLL1611+0x28e998 (0a31e998)
0a31e766 	e8a595d7ff	call DebenuPDFLibraryDLL1611+0x7d10 (0a097d10)
0a31e76b 	0f85ae010000	jne DebenuPDFLibraryDLL1611+0x28e91f (0a31e91f)
0a31e771 	8b45f8	mov eax,dword ptr [ebp-8]
0a31e774 	8b00	mov eax,dword ptr [eax]
0a31e776 	40	inc eax
0a31e777 	8b5508	mov edx,dword ptr [ebp+8]
0a31e77a 	3b42f8	cmp eax,dword ptr [edx-8]
0a31e77d 	7508	jne DebenuPDFLibraryDLL1611+0x28e787 (0a31e787)
0a31e77f 	897df4	mov dword ptr [ebp-0Ch],edi
0a31e782 	e9a2010000	jmp DebenuPDFLibraryDLL1611+0x28e929 (0a31e929)
0a31e787 	8b45f8	mov eax,dword ptr [ebp-8]
0a31e78a 	ff00	inc dword ptr [eax]
0a31e78c 	e98e010000	jmp DebenuPDFLibraryDLL1611+0x28e91f (0a31e91f)
0a31e791 	8b4508	mov eax,dword ptr [ebp+8]
0a31e794 	8b40fc	mov eax,dword ptr [eax-4]
0a31e797 	8b402c	mov eax,dword ptr [eax+2Ch]
0a31e79a 	e83113e0ff	call DebenuPDFLibraryDLL1611+0x8fad0 (0a11fad0)
0a31e79f 	8945f4	mov dword ptr [ebp-0Ch],eax
0a31e7a2 	8b4508	mov eax,dword ptr [ebp+8]
0a31e7a5 	8b40fc	mov eax,dword ptr [eax-4]
0a31e7a8 	8b402c	mov eax,dword ptr [eax+2Ch]
0a31e7ab 	ba98e9310a	mov edx,offset DebenuPDFLibraryDLL1611+0x28e998 (0a31e998)
0a31e7b0 	e8df15e0ff	call DebenuPDFLibraryDLL1611+0x8fd94 (0a11fd94)
0a31e7b5 	8bc8	mov ecx,eax
0a31e7b7 	baace9310a	mov edx,offset DebenuPDFLibraryDLL1611+0x28e9ac (0a31e9ac)
0a31e7bc 	8b45f4	mov eax,dword ptr [ebp-0Ch]
0a31e7bf 	e8f4fadfff	call DebenuPDFLibraryDLL1611+0x8e2b8 (0a11e2b8)
0a31e7c4 	8b4508	mov eax,dword ptr [ebp+8]
0a31e7c7 	8b40fc	mov eax,dword ptr [eax-4]
0a31e7ca 	8b7838	mov edi,dword ptr [eax+38h]
0a31e7cd 	8b4f10	mov ecx,dword ptr [edi+10h]
0a31e7d0 	8b570c	mov edx,dword ptr [edi+0Ch]
0a31e7d3 	8b4508	mov eax,dword ptr [ebp+8]
0a31e7d6 	8b40fc	mov eax,dword ptr [eax-4]
0a31e7d9 	8b402c	mov eax,dword ptr [eax+2Ch]
0a31e7dc 	e8cf10e0ff	call DebenuPDFLibraryDLL1611+0x8f8b0 (0a11f8b0)
0a31e7e1 	8bc8	mov ecx,eax
0a31e7e3 	bac0e9310a	mov edx,offset DebenuPDFLibraryDLL1611+0x28e9c0 (0a31e9c0)
0a31e7e8 	8b45f4	mov eax,dword ptr [ebp-0Ch]
0a31e7eb 	e8c8fadfff	call DebenuPDFLibraryDLL1611+0x8e2b8 (0a11e2b8)
0a31e7f0 	8b4508	mov eax,dword ptr [ebp+8]
0a31e7f3 	8b40fc	mov eax,dword ptr [eax-4]

PoC

Attached

Attachments:
Recursive_id_000105_00.pdf

References:
https://www.foxitsoftware.com/support/security-bulletins.php

Share this: