[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Foxit Reader suffers from Division By Zero
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Foxit Reader suffers from Division By Zero
- From: Mario Vilas <mvilas@xxxxxxxxx>
- Date: Sat, 29 Sep 2012 10:26:49 -0300
[image: Inline image 1]
On Sat, Sep 29, 2012 at 4:01 AM, kaveh ghaemmaghami <
kavehghaemmaghami@xxxxxxxxxxxxxx> wrote:
> Title : Foxit Reader suffers from Division By Zero
> Version : 5.4.3.0920
> Date : 2012-09-28
> Vendor : http://www.foxitsoftware.com/
> Impact : Med/High
> Contact : coolkaveh [at] rocketmail.com
> Twitter : @coolkaveh
> tested : XP SP3
> #####################################################################
> Bug :
> ----
> division by zero vulnerability during the handling of the pdf files.
> that will trigger a denial of service condition
>
> #####################################################################
> (b34.f24): Integer divide-by-zero - code c0000094 (first chance)
> First chance exceptions are reported before any exception handling.
> This exception may be expected and handled.
> eax=ffffffff
> ebx=00000000
> ecx=00000000
> edx=00000000
> esi=00000000
> edi=00000000
> eip=00558c8c
> esp=0012f928
> ebp=00000000
> iopl=0 nv up ei pl zr na pe nc
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
> efl=00010246
> *** ERROR: Module load completed but symbols could not be loaded for
> FoxitReader_Lib_Full.exe
> FoxitReader_Lib_Full+0x158c8c:
> 00558c8c f7f7 div eax,edi
> 0:000> r;!exploitable -v;q
> eax=ffffffff
> ebx=00000000
> ecx=00000000
> edx=00000000
> esi=00000000
> edi=00000000
> eip=00558c8c
> esp=0012f928
> ebp=00000000 iopl=0 nv up ei pl zr na pe nc
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
> efl=00010246
> FoxitReader_Lib_Full+0x158c8c:
> 00558c8c f7f7 div eax,edi
> HostMachine\HostUser
> Executing Processor Architecture is x86
> Debuggee is in User Mode
> Debuggee is a live user mode debugging session on the local machine
> Event Type: Exception
> *** ERROR: Symbol file could not be found. Defaulted to export
> symbols for ntdll.dll -
> Exception Faulting Address: 0x558c8c
> First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC0000094)
>
> Faulting Instruction:00558c8c div eax,edi
>
> Basic Block:
> 00558c8c div eax,edi
> Tainted Input Operands: ax, dx, eax, edi
> 00558c8e cmp dword ptr [esp+3ch],eax
> Tainted Input Operands: eax
> 00558c92 jae foxitreader_lib_full+0x158f06 (00558f06)
> Tainted Input Operands: CarryFlag
>
> Exception Hash (Major/Minor): 0x6461647c.0x64616453
>
> Stack Trace:
> FoxitReader_Lib_Full+0x158c8c
> Instruction Address: 0x0000000000558c8c
>
> Description: Integer Divide By Zero
> Short Description: DivideByZero
> Recommended Bug Title: Integer Divide By Zero starting at
> FoxitReader_Lib_Full+0x0000000000158c8c (Hash=0x6461647c.0x64616453)
> #####################################################################
>
> Proof of concept .pdf included.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/