Foxit Reader 5.4.3.0920 - Crash (PoC)

EDB-ID:

21645

CVE:



Author:

coolkaveh

Type:

dos


Platform:

Windows

Date:

2012-10-01


Title            :  Foxit Reader suffers from Division By Zero
Version          :  5.4.3.0920 
Date             :  2012-09-28
Vendor           :  http://www.foxitsoftware.com/
Impact           :  Med/High
Contact          :  coolkaveh [at] rocketmail.com
Twitter          :  @coolkaveh
tested           :  XP SP3
#####################################################################
Bug :
----
division by zero vulnerability during the handling of the pdf files.
that will trigger a denial of service condition

#####################################################################
(b34.f24): Integer divide-by-zero - code c0000094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff 
ebx=00000000 
ecx=00000000 
edx=00000000 
esi=00000000 
edi=00000000
eip=00558c8c 
esp=0012f928 
ebp=00000000 
iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Module load completed but symbols could not be loaded for FoxitReader_Lib_Full.exe
FoxitReader_Lib_Full+0x158c8c:
00558c8c f7f7            div     eax,edi
0:000> r;!exploitable -v;q
eax=ffffffff 
ebx=00000000 
ecx=00000000 
edx=00000000 
esi=00000000 
edi=00000000
eip=00558c8c 
esp=0012f928 
ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
FoxitReader_Lib_Full+0x158c8c:
00558c8c f7f7            div     eax,edi
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
Exception Faulting Address: 0x558c8c
First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC0000094)

Faulting Instruction:00558c8c div eax,edi

Basic Block:
    00558c8c div eax,edi
       Tainted Input Operands: ax, dx, eax, edi
    00558c8e cmp dword ptr [esp+3ch],eax
       Tainted Input Operands: eax
    00558c92 jae foxitreader_lib_full+0x158f06 (00558f06)
       Tainted Input Operands: CarryFlag

Exception Hash (Major/Minor): 0x6461647c.0x64616453

Stack Trace:
FoxitReader_Lib_Full+0x158c8c
Instruction Address: 0x0000000000558c8c

Description: Integer Divide By Zero
Short Description: DivideByZero
Recommended Bug Title: Integer Divide By Zero starting at FoxitReader_Lib_Full+0x0000000000158c8c (Hash=0x6461647c.0x64616453)
#####################################################################

Proof of concept .pdf included: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/21645.pdf