Foxit PDF Reader and Editor Flaw Let Attackers Escalate Privilege
.webp "Foxit PDF Reader and Editor Flaw Let Attackers Escalate Privilege")
Foxit PDF reader has been chanced on with a brand recent privilege escalation vulnerability that lets in a low-privileged person to escalate their privileges. This vulnerability has been assigned with CVE-2024-29072 and the severity has been given as 8.2 (High).
This vulnerability affects extra than one variations of the Foxit PDF reader for Dwelling windows. Foxit has mounted it, and a critical security advisory has been revealed.
Technical Diagnosis – CVE-2024-29072
Per the experiences shared with Cyber Safety Recordsdata, this vulnerability exists due to sinful certification validation of the updater executable sooner than its execution.
This lets in a low-privileged person to trigger the change action and elevate their privileges.
The change action on Foxit might perhaps fair even be performed by clicking Abet → About Foxit PDF Reader → Test For Update.
After this action, FoxitPDFReader.exe writes the FoxitPDFReaderUpdater.exe file within the %APPDATA%Foxit ToolActualAddonFoxit PDF Reader folder and runs below the person context.
Following this, FoxitPDFReaderUpdateService.exe calls CryptQueryObject on the FoxitPDFReaderUpdater.exe file to retrieve its certificate knowledge.
This is executed to test if the FoxitPDFReaderUpdater.exe is signed or no longer.
However, the FoxitPDFReaderUpdateService.exe finest assessments the certificate’s existence but doesn’t validate it after retrieving it. Additionally, it also runs below the SYSTEM context.
A threat actor can exploit this particular habits by crafting a signature to a malicious file utilizing the signtool.exe utility in Visual Studio.
Additional, one other person-controlled self-signed application might perhaps fair even be ancient to call CryptQueryObject, ensuing within the exploitation of this vulnerability.
Exploitation
The steps to use this vulnerability are as follows:
1. Set of living an oplock (opportunistic lock) on %APPDATA%Foxit ToolActualAddonFoxit PDF ReaderFoxitPDFReaderUpdater.exe
2. Click Test For Update. Attributable to the presence of oplock on the file, when FoxitPDFReader.exe tries to overwrite the FoxitPDFReaderUpdater.exe, it is forced to wait and an oplock callback is started.
3. When this callback occurs, an exploit might perhaps fair even be crafted and changed with the recent FoxitPDFReaderUpdater.exe file.
4. FoxitPDFReaderUpdateService.exe calls CryptQueryObject on the modified executable which ends up in success.
5. FoxitPDFReaderUpdateService.exe calls CreateProcessAsUser to compose the malicious executable that will perhaps fair result in escalating the privileges to SYSTEM.
Affected variations
| Product | Affected variations | Platform |
| Foxit PDF Reader (previously named Foxit Reader) | 2024.2.1.25153 and earlier | Dwelling windows |
| Foxit PDF Editor (previously named Foxit PhantomPDF) | 2024.2.1.25153 and all outdated 2024.x variations, 2023.3.0.23028 and all outdated 2023.x variations, 13.1.1.22432 and all outdated 13.x variations, 12.1.6.15509 and all outdated 12.x variations, 11.2.9.53938 and earlier |
Dwelling windows |
This vulnerability affects Foxit Reader variations sooner than 2024.2.0.25138. To cease the exploitation of this vulnerability, Foxit users are advised to increase their application to basically the most up-to-date version (Foxit PDF Reader 2024.2.2).
Source credit : cybersecuritynews.com
