Foxit PDF Reader and Editor Flaw Let Attackers Escalate Privilege

Foxit PDF reader has been discovered with a new privilege escalation vulnerability that allows a low-privileged user to escalate their privileges. This vulnerability has been assigned with CVE-2024-29072 and the severity has been given as 8.2 (High).

This vulnerability affects multiple versions of the Foxit PDF reader for Windows. Foxit has fixed it, and a necessary security advisory has been published.

EHA

Technical Analysis – CVE-2024-29072

According to the reports shared with Cyber Security News, this vulnerability exists due to improper certification validation of the updater executable before its execution.

This allows a low-privileged user to trigger the update action and elevate their privileges.

The update action on Foxit can be performed by clicking Help → About Foxit PDF Reader → Check For Update.

 All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

After this action, FoxitPDFReader.exe writes the FoxitPDFReaderUpdater.exe file in the %APPDATA%\Foxit Software\Continuous\Addon\Foxit PDF Reader folder and runs under the user context.

Following this, FoxitPDFReaderUpdateService.exe calls CryptQueryObject on the FoxitPDFReaderUpdater.exe file to retrieve its certificate information.

This is done to verify if the FoxitPDFReaderUpdater.exe is signed or not.

However, the FoxitPDFReaderUpdateService.exe only checks the certificate’s existence but does not validate it after retrieving it. Additionally, it also runs under the SYSTEM context. 

A threat actor can exploit this particular behavior by crafting a signature to a malicious file using the signtool.exe utility in Visual Studio.

Further, another user-controlled self-signed application can be used to call CryptQueryObject, resulting in the exploitation of this vulnerability.

Exploitation

The steps to exploit this vulnerability are as follows:

1. Set an oplock (opportunistic lock) on %APPDATA%\Foxit Software\Continuous\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe

2. Click Check For Update. Due to the presence of oplock on the file, when FoxitPDFReader.exe tries to overwrite the FoxitPDFReaderUpdater.exe, it is forced to wait and an oplock callback is started.

3. When this callback happens, an exploit can be crafted and replaced with the original FoxitPDFReaderUpdater.exe file.

4. FoxitPDFReaderUpdateService.exe calls CryptQueryObject on the modified executable which results in success.

5. FoxitPDFReaderUpdateService.exe calls CreateProcessAsUser to execute the malicious executable which will result in escalating the privileges to SYSTEM.

Affected versions

ProductAffected versionsPlatform
Foxit PDF Reader (previously named Foxit Reader)2024.2.1.25153 and earlierWindows
Foxit PDF Editor (previously named Foxit PhantomPDF)2024.2.1.25153 and all previous 2024.x versions,
2023.3.0.23028 and all previous 2023.x versions,
13.1.1.22432 and all previous 13.x versions,
12.1.6.15509 and all previous 12.x versions,
11.2.9.53938 and earlier
Windows

This vulnerability affects Foxit Reader versions before 2024.2.0.25138. To prevent the exploitation of this vulnerability, Foxit users are recommended to upgrade their application to the latest version (Foxit PDF Reader 2024.2.2).

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.