=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN116
_____________________________________________________________________

DATE                      : 07/04/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Foxit Reader versions prior 3.2.1.0401.

======================================================================
http://www.kb.cert.org/vuls/id/570177
______________________________________________________________________

Vulnerability Note VU#570177

Foxit Reader vulnerable to arbitrary command execution

Overview

Foxit Reader contains a vulnerability that may allow an attacker to execute
arbitrary commands without requiring user interaction.

I. Description

Foxit Reader is software designed to view Portable Document Format (PDF)
files. The Adobe PDF Reference supports a "Launch action" which
"... launches an application or opens or prints a document." Foxit
Reader uses the ShellExecute function to handle PDFs that use a Launch
action. In some cases, Foxit Reader will not prompt the user before an
application is launched with a Launch action. It is also reported that
the Launch Action can be used to launch an executable that is included
in the PDF document, which results in arbitrary code execution.

II. Impact

By convincing a user to open a PDF document, e.g. by visiting a website,
a remote, unauthenticated attacker may be able to execute arbitrary code
on a vulnerable system.

III. Solution

Apply an update

This issue is addressed in Foxit Reader 3.2.1.0401. This update will cause
Foxit Reader to prompt the user before using a Launch Action.

Systems Affected

Vendor			Status		Date Notified	Date Updated
Foxit Software Company	Vulnerable	2010-03-30	2010-04-02

References

http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/
http://www.adobe.com/devnet/acrobat/pdfs/pdf_reference_1-7.pdf
http://www.f-secure.com/weblog/archives/00001923.html
http://msdn.microsoft.com/en-us/library/bb762153%28VS.85%29.aspx

Credit

This vulnerability was reported by Didier Stevens.
This document was written by Will Dormann.

Other Information

Date Public:	2010-03-31
Date First Published:	2010-04-02
Date Last Updated:	2010-04-02
CERT Advisory:	
CVE-ID(s):	
NVD-ID(s):	
US-CERT Technical Alerts:	
Metric:	33.17
Document Revision:	4

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================