| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 29 Sep 2012 10:26:49 -0300
From: Mario Vilas <mvilas@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Foxit Reader suffers from Division By Zero
[image: Inline image 1]
On Sat, Sep 29, 2012 at 4:01 AM, kaveh ghaemmaghami <
kavehghaemmaghami@...glemail.com> wrote:
> Title : Foxit Reader suffers from Division By Zero
> Version : 5.4.3.0920
> Date : 2012-09-28
> Vendor : http://www.foxitsoftware.com/
> Impact : Med/High
> Contact : coolkaveh [at] rocketmail.com
> Twitter : @coolkaveh
> tested : XP SP3
> #####################################################################
> Bug :
> ----
> division by zero vulnerability during the handling of the pdf files.
> that will trigger a denial of service condition
>
> #####################################################################
> (b34.f24): Integer divide-by-zero - code c0000094 (first chance)
> First chance exceptions are reported before any exception handling.
> This exception may be expected and handled.
> eax=ffffffff
> ebx=00000000
> ecx=00000000
> edx=00000000
> esi=00000000
> edi=00000000
> eip=00558c8c
> esp=0012f928
> ebp=00000000
> iopl=0 nv up ei pl zr na pe nc
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
> efl=00010246
> *** ERROR: Module load completed but symbols could not be loaded for
> FoxitReader_Lib_Full.exe
> FoxitReader_Lib_Full+0x158c8c:
> 00558c8c f7f7 div eax,edi
> 0:000> r;!exploitable -v;q
> eax=ffffffff
> ebx=00000000
> ecx=00000000
> edx=00000000
> esi=00000000
> edi=00000000
> eip=00558c8c
> esp=0012f928
> ebp=00000000 iopl=0 nv up ei pl zr na pe nc
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
> efl=00010246
> FoxitReader_Lib_Full+0x158c8c:
> 00558c8c f7f7 div eax,edi
> HostMachine\HostUser
> Executing Processor Architecture is x86
> Debuggee is in User Mode
> Debuggee is a live user mode debugging session on the local machine
> Event Type: Exception
> *** ERROR: Symbol file could not be found. Defaulted to export
> symbols for ntdll.dll -
> Exception Faulting Address: 0x558c8c
> First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC0000094)
>
> Faulting Instruction:00558c8c div eax,edi
>
> Basic Block:
> 00558c8c div eax,edi
> Tainted Input Operands: ax, dx, eax, edi
> 00558c8e cmp dword ptr [esp+3ch],eax
> Tainted Input Operands: eax
> 00558c92 jae foxitreader_lib_full+0x158f06 (00558f06)
> Tainted Input Operands: CarryFlag
>
> Exception Hash (Major/Minor): 0x6461647c.0x64616453
>
> Stack Trace:
> FoxitReader_Lib_Full+0x158c8c
> Instruction Address: 0x0000000000558c8c
>
> Description: Integer Divide By Zero
> Short Description: DivideByZero
> Recommended Bug Title: Integer Divide By Zero starting at
> FoxitReader_Lib_Full+0x0000000000158c8c (Hash=0x6461647c.0x64616453)
> #####################################################################
>
> Proof of concept .pdf included.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists