Foxit PDF reader has been discovered with a new privilege escalation vulnerability that allows a low-privileged user to escalate their privileges. This vulnerability has been assigned with CVE-2024-29072 and the severity has been given as 8.2 (High).
This vulnerability affects multiple versions of the Foxit PDF reader for Windows. Foxit has fixed it, and a necessary security advisory has been published.
According to the reports shared with Cyber Security News, this vulnerability exists due to improper certification validation of the updater executable before its execution.
This allows a low-privileged user to trigger the update action and elevate their privileges.
The update action on Foxit can be performed by clicking Help → About Foxit PDF Reader → Check For Update.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
After this action, FoxitPDFReader.exe writes the FoxitPDFReaderUpdater.exe file in the %APPDATA%Foxit SoftwareContinuousAddonFoxit PDF Reader folder and runs under the user context.
Following this, FoxitPDFReaderUpdateService.exe calls CryptQueryObject on the FoxitPDFReaderUpdater.exe file to retrieve its certificate information.
This is done to verify if the FoxitPDFReaderUpdater.exe is signed or not.
However, the FoxitPDFReaderUpdateService.exe only checks the certificate’s existence but does not validate it after retrieving it. Additionally, it also runs under the SYSTEM context.
A threat actor can exploit this particular behavior by crafting a signature to a malicious file using the signtool.exe utility in Visual Studio.
Further, another user-controlled self-signed application can be used to call CryptQueryObject, resulting in the exploitation of this vulnerability.
Exploitation
The steps to exploit this vulnerability are as follows:
1. Set an oplock (opportunistic lock) on %APPDATA%Foxit SoftwareContinuousAddonFoxit PDF ReaderFoxitPDFReaderUpdater.exe
2. Click Check For Update. Due to the presence of oplock on the file, when FoxitPDFReader.exe tries to overwrite the FoxitPDFReaderUpdater.exe, it is forced to wait and an oplock callback is started.
3. When this callback happens, an exploit can be crafted and replaced with the original FoxitPDFReaderUpdater.exe file.
4. FoxitPDFReaderUpdateService.exe calls CryptQueryObject on the modified executable which results in success.
5. FoxitPDFReaderUpdateService.exe calls CreateProcessAsUser to execute the malicious executable which will result in escalating the privileges to SYSTEM.
Affected versions
| Product | Affected versions | Platform |
| Foxit PDF Reader (previously named Foxit Reader) | 2024.2.1.25153 and earlier | Windows |
| Foxit PDF Editor (previously named Foxit PhantomPDF) | 2024.2.1.25153 and all previous 2024.x versions, 2023.3.0.23028 and all previous 2023.x versions, 13.1.1.22432 and all previous 13.x versions, 12.1.6.15509 and all previous 12.x versions, 11.2.9.53938 and earlier |
Windows |
This vulnerability affects Foxit Reader versions before 2024.2.0.25138. To prevent the exploitation of this vulnerability, Foxit users are recommended to upgrade their application to the latest version (Foxit PDF Reader 2024.2.2).
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.