Foxit PDF Reader and Editor Flaw Let Attackers Escalate Privilege
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Foxit PDF reader has been discovered with a new privilege escalation vulnerability that allows a low-privileged user to escalate their privileges. This vulnerability has been assigned with CVE-2024-29072 and the severity has been given as 8.2 (High).
This vulnerability affects multiple versions of the Foxit PDF reader for Windows. Foxit has fixed it, and a necessary security advisory has been published.
Technical Analysis – CVE-2024-29072
According to the reports shared with Cyber Security News, this vulnerability exists due to improper certification validation of the updater executable before its execution.
This allows a low-privileged user to trigger the update action and elevate their privileges.
The update action on Foxit can be performed by clicking Help → About Foxit PDF Reader → Check For Update.
After this action, FoxitPDFReader.exe writes the FoxitPDFReaderUpdater.exe file in the %APPDATA%\Foxit Software\Continuous\Addon\Foxit PDF Reader folder and runs under the user context.
Following this, FoxitPDFReaderUpdateService.exe calls CryptQueryObject on the FoxitPDFReaderUpdater.exe file to retrieve its certificate information.
This is done to verify if the FoxitPDFReaderUpdater.exe is signed or not.
However, the FoxitPDFReaderUpdateService.exe only checks the certificate’s existence but does not validate it after retrieving it. Additionally, it also runs under the SYSTEM context.
A threat actor can exploit this particular behavior by crafting a signature to a malicious file using the signtool.exe utility in Visual Studio.
Further, another user-controlled self-signed application can be used to call CryptQueryObject, resulting in the exploitation of this vulnerability.
Exploitation
The steps to exploit this vulnerability are as follows:
1. Set an oplock (opportunistic lock) on %APPDATA%\Foxit Software\Continuous\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe
2. Click Check For Update. Due to the presence of oplock on the file, when FoxitPDFReader.exe tries to overwrite the FoxitPDFReaderUpdater.exe, it is forced to wait and an oplock callback is started.
3. When this callback happens, an exploit can be crafted and replaced with the original FoxitPDFReaderUpdater.exe file.
4. FoxitPDFReaderUpdateService.exe calls CryptQueryObject on the modified executable which results in success.
5. FoxitPDFReaderUpdateService.exe calls CreateProcessAsUser to execute the malicious executable which will result in escalating the privileges to SYSTEM.
Affected versions
Product Affected versions Platform Foxit PDF Reader (previously named Foxit Reader)2024.2.1.25153 and earlierWindowsFoxit PDF Editor (previously named Foxit PhantomPDF)2024.2.1.25153 and all previous 2024.x versions,
2023.3.0.23028 and all previous 2023.x versions,
13.1.1.22432 and all previous 13.x versions,
12.1.6.15509 and all previous 12.x versions,
11.2.9.53938 and earlierWindows
This vulnerability affects Foxit Reader versions before 2024.2.0.25138. To prevent the exploitation of this vulnerability, Foxit users are recommended to upgrade their application to the latest version (Foxit PDF Reader 2024.2.2).
#Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
Foxit PDF Reader and Editor Flaw Let Attackers Escalate Privilege
Author: EswarFoxit PDF reader has been discovered with a new privilege escalation vulnerability that allows a low-privileged user to escalate their privileges. This vulnerability has been assigned with CVE-2024-29072 and the severity has been given as 8.2 (High).
This vulnerability affects multiple versions of the Foxit PDF reader for Windows. Foxit has fixed it, and a necessary security advisory has been published.
Technical Analysis – CVE-2024-29072
According to the reports shared with Cyber Security News, this vulnerability exists due to improper certification validation of the updater executable before its execution.
This allows a low-privileged user to trigger the update action and elevate their privileges.
The update action on Foxit can be performed by clicking Help → About Foxit PDF Reader → Check For Update.
After this action, FoxitPDFReader.exe writes the FoxitPDFReaderUpdater.exe file in the %APPDATA%\Foxit Software\Continuous\Addon\Foxit PDF Reader folder and runs under the user context.
Following this, FoxitPDFReaderUpdateService.exe calls CryptQueryObject on the FoxitPDFReaderUpdater.exe file to retrieve its certificate information.
This is done to verify if the FoxitPDFReaderUpdater.exe is signed or not.
However, the FoxitPDFReaderUpdateService.exe only checks the certificate’s existence but does not validate it after retrieving it. Additionally, it also runs under the SYSTEM context.
A threat actor can exploit this particular behavior by crafting a signature to a malicious file using the signtool.exe utility in Visual Studio.
Further, another user-controlled self-signed application can be used to call CryptQueryObject, resulting in the exploitation of this vulnerability.
Exploitation
The steps to exploit this vulnerability are as follows:
1. Set an oplock (opportunistic lock) on %APPDATA%\Foxit Software\Continuous\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe
2. Click Check For Update. Due to the presence of oplock on the file, when FoxitPDFReader.exe tries to overwrite the FoxitPDFReaderUpdater.exe, it is forced to wait and an oplock callback is started.
3. When this callback happens, an exploit can be crafted and replaced with the original FoxitPDFReaderUpdater.exe file.
4. FoxitPDFReaderUpdateService.exe calls CryptQueryObject on the modified executable which results in success.
5. FoxitPDFReaderUpdateService.exe calls CreateProcessAsUser to execute the malicious executable which will result in escalating the privileges to SYSTEM.
Affected versions
Product Affected versions Platform Foxit PDF Reader (previously named Foxit Reader)2024.2.1.25153 and earlierWindowsFoxit PDF Editor (previously named Foxit PhantomPDF)2024.2.1.25153 and all previous 2024.x versions,
2023.3.0.23028 and all previous 2023.x versions,
13.1.1.22432 and all previous 13.x versions,
12.1.6.15509 and all previous 12.x versions,
11.2.9.53938 and earlierWindows
This vulnerability affects Foxit Reader versions before 2024.2.0.25138. To prevent the exploitation of this vulnerability, Foxit users are recommended to upgrade their application to the latest version (Foxit PDF Reader 2024.2.2).
#Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
