##################################################################################### Application: Foxit Products GIF Conversion Memory Corruption Vulnerabilities (LZWMinimumCodeSize) Platforms: Windows Versions: The vulnerability is confirmed in version Foxit Reader 7.x. Other versions may also be affected. Secunia: SA63346 {PRL}: 2015-01 Author: Francis Provencher (Protek Research Lab’s) Website: http://www.protekresearchlab.com/ Twitter: @ProtekResearch ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing. (http://en.wikipedia.org/wiki/Foxit_Reader) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-02-17: Francis Provencher from Protek Research Lab’s found the issue; 2015-02-21: Foxit Security Response Team confirmed the issue; 2015-02-21: Foxit fixed the issue; 2015-03-09: Foxit released fixed version of Foxit Reader 7.1/Foxit Enterprise Reader 7.1/Foxit PhantomPDF7.1. ##################################################################################### ============================ 3) Technical details ============================ An error when handling LZWMinimumCodeSize can be exploited to cause memory corruption via a specially crafted GIF file. ##################################################################################### =========== 4) POC =========== http://protekresearchlab.com/exploits/PRL-2015-01.gif https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36334.gif ###############################################################################