Foxit Reader saveAs Arbitrary File Write RCE Vulnerability (CVE-2017-10952)

Vulnerability Overview Title: (0Day) Foxit Reader saveAs Arbitrary File Write Remote Code Execution Vulnerability Vulnerability ID: ZDI-17-692, ZDI-CAN-4518 CVE ID: CVE-2017-10952 CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Affected Vendor: Foxit Affected Product: Reader Vulnerability Details Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. Exploitation requires the user to access a malicious webpage or open a malicious file. Specific Issue: A flaw exists in the JavaScript function, where user-supplied data is not properly validated, allowing arbitrary files to be written to locations controlled by the attacker. Public Disclosure: The vulnerability was disclosed publicly without a patch, adhering to ZDI’s 120-day deadline. Mitigation: Due to the nature of the vulnerability, the only effective mitigation is to restrict interaction with the application to trusted files only. Timeline 2017-06-22: Vulnerability reported to vendor 2017-08-17: Coordinated public advisory release Reporters Discoverer: Steven Seeley (Mr._Me) of Offensive Security Important Notes Vendor’s Decision: Foxit Reader and PhantomPDF include a default-enabled "Secure Reading Mode" that controls JavaScript execution, intended to mitigate risks from unauthorized JavaScript operations. However, the vendor initially declined to fix the issue, arguing it could be mitigated via Secure Reading Mode. Final Status: Due to the vendor’s incomplete response, this case was ultimately designated as a 0-day vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

Foxit Reader saveAs Arbitrary File Write RCE Vulnerability (CVE-2017-10952)