Foxit PDF Reader: Half-hearted certificate check enables rights expansion
The Foxit PDF Reader update routines do not check certificates correctly. This allows attackers to extend their rights.
(Image: heise online)
IT security researchers from Talos warn of a security vulnerability in Foxit PDF Reader. Attackers can extend their rights in the system through the leak.
In their analysis, the IT analysts explain that due to an inadequate certificate check in the executable updater, attackers with low rights can start the update process and extend their rights as a result (CVE-2024-29072, CVSS 8.2, risk"high")
Foxit Updater: Half-baked certificate check
When checking for updates, FoxitPDFReader.exe writes the file FoxitPDFReaderUpdater.exe to the directory %APPDAT%\Foxit Software\Continuous\Addon\Foxit PDF Reader. The PDF reader runs with user rights. The FoxitPDFReaderUpdateService.exe service then calls CryptQueryObject on the stored updater file to read certificate information. Foxit uses this to check whether the file is signed. However, the certificate itself is not checked any further. The checking service FoxitPDFReaderUpdateService.exe runs in the SYSTEM context. If the updater file is signed, the service starts this executable file with SYSTEM rights.
However, standard users have full access rights to the updater file and can delete or create it. The Talos IT researchers point out that it is sufficient to sign an executable file with a self-created certificate using the Visual Studio tool signtool.exe. This allows arbitrary code to be executed in the highly privileged SYSTEM context if attackers replace the update file quickly enough.
The vulnerability is found in Foxit Reader 2024.2.0.25138, which was released on April 28, according to Foxit's version history. Foxit PDF Reader 2024.2.1.25153 from May 17 does not correct any security vulnerabilities according to the changelog, but appeared after the vulnerability was reported to Foxit. A patch is said to have been released on Sunday, May 26. However, neither Talos nor Foxit mention the corresponding version numbers. Anyone using Foxit PDF Reader should download the installation file currently provided and use it to update the reader. The installer currently offered bears the number 2024.2.2.25170 and is therefore more recent than documented on the website. The German-language installer was signed on 05/23/2024, which may match the release schedule.
IT security researchers repeatedly find security vulnerabilities in Foxit PDF programs. For example, last November in the Foxit PDF Reader and PDF Editor. Attackers were able to exploit vulnerabilities there to inject and execute malicious code with manipulated documents.
(dmk)