% a naive PDF (for pdf.js) with more elements than usually requiredġ) It is not possible to pass parameters to the executed program. When you close the PDF it will open explorer.exe) - there was a link but apparently Google does not like me hosting my own PoC. Have fun with the PoC (it opens cmd.exe and calc.exe. This only works for this exact function call! Note: This is not a full "Safe Reading Mode" bypass. I have no idea why Foxit did not patch my vulnerability but hopefully they do now! The following example will open "cmd.exe" without any user interaction: The Trust Manager, nor does it check the specified protocol. I discovered that this function is not protected by The XFA standard defines the function call, which One difference between app.launchURL and is this one: is not protected by the safe reading mode or as I described in my email to the Foxit security team: Instead of passing a http/https URL to I used the file:/// protocol handler. I assume CVE-2017-10951 used the same URL I did to execute a local program (I am not 100% sure as no exact details are public). I am using another function with a similar functionality called .īy reading the specification it can be seen that normally these functions accept a URL, which is opened in a new browser window. Not protected by Safe-Reading mode!ĬVE-2017-10951 is abusing the app.launchURL JavaScript call to execute a local program, without any user interaction.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |