A new privilege escalation vulnerability (CVE-2024-29072, severity 8.2 High) has been discovered in multiple versions of Foxit PDF Reader for Windows. Foxit has fixed the issue and published a security advisory.
Foxit PDF Reader and Editor Flaw
According to reports shared with Cyber Security News, this vulnerability exists due to improper certification validation of the updater executable before execution.
This flaw allows a low-privileged user to trigger the update action and elevate their privileges.
Users can perform the update action in Foxit by navigating to Help → About Foxit PDF Reader → Check For Update.
After this action, FoxitPDFReader.exe writes the FoxitPDFReaderUpdater.exe file to the %APPDATA%\Foxit Software\Continuous\Addon\Foxit PDF Reader folder and runs it under the user context.
Next, FoxitPDFReaderUpdateService.exe calls CryptQueryObject on the FoxitPDFReaderUpdater.exe file to retrieve its certificate information to check if it is signed.
However, FoxitPDFReaderUpdateService.exe only checks for the existence of the certificate without validating it and runs under the SYSTEM context.
A threat actor can exploit this by crafting a malicious file signature using the signtool.exe utility in Visual Studio.
Additionally, another user-controlled self-signed application can call CryptQueryObject, exploiting this vulnerability.
The steps to exploit this vulnerability are as follows:
- Set an opportunistic lock (oplock) on %APPDATA%\Foxit Software\Continuous\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe.
- Click “Check For Update.” Due to the oplock on the file, when FoxitPDFReader.exe tries to overwrite FoxitPDFReaderUpdater.exe, it is forced to wait, triggering an oplock callback.
- During this callback, replace the original FoxitPDFReaderUpdater.exe file with a crafted exploit.
- FoxitPDFReaderUpdateService.exe calls CryptQueryObject on the modified executable, which passes verification.
- FoxitPDFReaderUpdateService.exe calls CreateProcessAsUser to execute the malicious executable, escalating privileges to SYSTEM.
Affected versions
| Affected Product | Affected Versions | Platform |
|---|---|---|
| Foxit PDF Reader (previously named Foxit Reader) | 2024.2.1.25153 and earlier | Windows |
| Foxit PDF Editor (previously named Foxit PhantomPDF) | 2024.2.1.25153 and all previous 2024.x versions, 2023.3.0.23028 and all previous 2023.x versions, 13.1.1.22432 and all previous 13.x versions, 12.1.6.15509 and all previous 12.x versions, 11.2.9.53938 and earlier | Windows |
This vulnerability affects Foxit Reader versions prior to 2024.2.0.25138. To prevent exploitation, Foxit users are advised to update to the latest version (Foxit PDF Reader 2024.2.2).
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment