Closing the document frees a number of objects, and then when the execution returns to the rest of mailForm method, a stale pointer is reused, leading to use-after-free. In this case, that will execute function f, which closes the current document. While accessing the arguments, mailForm will expect second argument to be of type string and will call object’s toString method.
In the above code, we craft an array v1 with overloaded toString method to call function f. This particular vulnerability lies in invoking mailForm method of the active document, which can trigger a use-after-free condition called with specially crafted arguments like we see in the following code: var v1 = new Array() Īpp.activeDocs.mailForm() Invoking a method which keeps a stale reference to a now-freed object can lead to a use-after-free condition, which can be abused to execute arbitrary code. When executing embedded JavaScript code, a document can be closed, which essentially frees a lot of used objects, but the JavaScript can continue to execute. JavaScript support poses an additional attack surface. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. It aims to have feature parity with Adobe’s Acrobat Reader. Product URLsĨ.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CWEįoxit PDF Reader is one of the most popular PDF document readers, and has a widespread user base. Tested Versionsįoxit Software Foxit PDF Reader. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader version.
0 kommentar(er)
