cbcvebase.
CVE-2009-0837
published 2009-03-10

CVE-2009-0837: Stack-based buffer overflow in Foxit Reader 3.0 before Build 1506, including 1120 and 1301, allows remote attackers to execute arbitrary code via a long (1)…

PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
75.78%
99.5th percentile
Stack-based buffer overflow in Foxit Reader 3.0 before Build 1506, including 1120 and 1301, allows remote attackers to execute arbitrary code via a long (1) relative path or (2) absolute path in the filename argument in an action, as demonstrated by the "Open/Execute a file" action.

Detection & IOCsextracted from sources · hover to see the quote

versionFoxit Reader 3.0 Build 1301 and earlier
  • The exploit is triggered via a malicious PDF 'Launch' action (Open/Execute a file) containing an overly long relative or absolute path in the filename argument, causing a stack-based buffer overflow in Foxit Reader 3.0.
  • Inspect PDF files for Launch action entries (/Launch) with unusually long filename arguments; the overflow payload is embedded in the filename field of the action dictionary.
  • The Metasploit module uses EXITFUNC=process and a payload space of 1024 bytes; look for shellcode-bearing PDF Launch actions with payloads up to 1024 bytes in the filename field.
  • The SEH-based exploit variant (exploit-db 8201) uses $sehjmp and $sehret overwrite patterns; detect structured exception handler overwrites in Foxit Reader process memory when parsing PDF files.
  • The return address 0x74d34d3f is used as the EIP/EBP overwrite target on Windows XP SP2; flag Foxit Reader crashes or ROP pivots to this address.
  • ·The Metasploit module target is specifically tuned for Windows XP SP2; the return address 0x74d34d3f may not be valid on other OS versions or patch levels, limiting exploit reliability outside this configuration.
  • ·The vulnerability affects Foxit Reader 3.0 builds up to and including 1301; Build 1506 and later are patched and not vulnerable.
  • ·The payload space is constrained to 1024 bytes with a broad set of bad characters; payloads exceeding this size or containing bad characters will not function correctly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.