Skip to content

afbase/CVE-2017-10952

Repository files navigation

CVE-2017-10952

So this is a high level example of a local code execution attack on Foxit PDF reader. Details of this attack can be found here [1]. I've copy pasted the text description of this vulnerability linked in [1] here to preserve the description over time - the description was written by the author Root on vulners.com.

Install Foxit

Install Foxit_Reader_v8.3.0.14878.exe. Step through the installation process. Since this is just a high level demonstration of how to exploit this version of Foxit PDF reader, there is no need to modify browser or Windows default application settings to open PDF files; below are some screenshots of installation to help identify installation settings:

Demonstration of Attack

  1. After installation of Foxit Reader, open the application.
  2. Open file explorer to this directory with "document.pdf" and "document2.pdf"
  3. Drag "document.pdf" to Foxit Reader. This should open a print prompt. Close the print prompt and close the document in Foxit.
  4. Next drag "document2.pdf" to Foxit Reader. This should open the calc.exe app.

What's happening?

In both instances of the attacks, they leverage the XFA formatting for PDFs; an example of this is shown by corkami here. A more thorough explanation of this exploit is found in the link above under "[+] Fixed: Safe-Reading mode bypass".

[1] - https://vulners.com/seebug/SSV:96369 [2] - https://github.com/corkami/pics [3] - https://raw.githubusercontent.com/corkami/pocs/master/pdf/formevent_js.pdf

CVE-2017-10951

Click here to see how we extend CVE-2017-10952 exploit into CVE-2017-10951.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published