######################################################
Application: Foxit Reader PDF Parsing Memory Corruption
Platforms: Windows
Versions: The vulnerabilities are reported in Foxit Reader and Foxit Enterprise Reader versions 7.1.0.306 and 7.1.3.320 and Foxit Phantom PDF versions 7.1.0.306, 7.1.2.311, and 7.1.3.320.
Secunia: SA63346
{PRL}: 2015-05
Author: Francis Provencher (Protek Research Lab’s)
Website: http://www.protekresearchlab.com/
Twitter: @ProtekResearch
######################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
######################################################
===============
1) Introduction
===============
Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing.
(http://en.wikipedia.org/wiki/Foxit_Reader)
######################################################
============================
2) Report Timeline
============================
2015-04-09: Francis Provencher from Protek Research Lab’s found the issue;
2015-04-13: Foxit Security Response Team confirmed the issue;
2015-04-28: Foxit fixed the issue;
######################################################
============================
3) Technical details
============================
A memory corruption occured within the LZW algorithm that is used to decode GIF. A specifically crafted GIF could lead to a controled memory corruption.
######################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/PRL-2015-05.pdf
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36859.pdf
######################################################