Foxit PDF Reader GoToR Action Stack Buffer Overflow

July 29, 2016

Foxit Reader is a PDF reader that can create, edit, sign and print PDF files. A stack buffer overflow vulnerability exists in Foxit Reader. The vulnerability occurs due to improper handling of an overly large action link. A remote attacker can exploit this vulnerability by alluring the victim to opening a specially crafted PDF document and clicking on the action link. Succesful exploitation can lead to execution under the privileges of the the victim user. An unsuccessful explotation would lead to hang or termination of the Foxit Reader application.

Specifically, actions are used for navigation. There are two types of actions: implicit and explicit. Explicit action occurs when the user interacts with any kind of an object. Foxit implements these actions with 4 different types: GoTo, GoToR, Launch and URI. The vulnerability exists in the GoToR action. The GoToR action navigates to an external PDF file that might be stored on the local disk. The vulnerability occurs when the user click on a GoToR action link which causes creation of large filename. This name is copied in to a UTF-16 encoded string which is then stored in to 522byte buffer. The copy process does not validate the size of the source string. When a large string is supplied to GoToR action, it results in to overwriting the buffer and thus causing a stack buffer overflow.

Dell Sonicwall team has written following signature to protect our customers from attacks against this vulnerability:

  • 11764: Foxit Reader Stack Buffer Overflow