CVE-2009-0837
published 2009-03-10CVE-2009-0837: Stack-based buffer overflow in Foxit Reader 3.0 before Build 1506, including 1120 and 1301, allows remote attackers to execute arbitrary code via a long (1)…
PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
75.78%
99.5th percentile
Stack-based buffer overflow in Foxit Reader 3.0 before Build 1506, including 1120 and 1301, allows remote attackers to execute arbitrary code via a long (1) relative path or (2) absolute path in the filename argument in an action, as demonstrated by the "Open/Execute a file" action.
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit is triggered via a malicious PDF 'Launch' action (Open/Execute a file) containing an overly long relative or absolute path in the filename argument, causing a stack-based buffer overflow in Foxit Reader 3.0. ↗
- →Inspect PDF files for Launch action entries (/Launch) with unusually long filename arguments; the overflow payload is embedded in the filename field of the action dictionary. ↗
- →The Metasploit module uses EXITFUNC=process and a payload space of 1024 bytes; look for shellcode-bearing PDF Launch actions with payloads up to 1024 bytes in the filename field. ↗
- →The SEH-based exploit variant (exploit-db 8201) uses $sehjmp and $sehret overwrite patterns; detect structured exception handler overwrites in Foxit Reader process memory when parsing PDF files. ↗
- →The return address 0x74d34d3f is used as the EIP/EBP overwrite target on Windows XP SP2; flag Foxit Reader crashes or ROP pivots to this address. ↗
- ·The Metasploit module target is specifically tuned for Windows XP SP2; the return address 0x74d34d3f may not be valid on other OS versions or patch levels, limiting exploit reliability outside this configuration. ↗
- ·The vulnerability affects Foxit Reader 3.0 builds up to and including 1301; Build 1506 and later are patched and not vulnerable. ↗
- ·The payload space is constrained to 1024 bytes with a broad set of bad characters; payloads exceeding this size or containing bad characters will not function correctly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Foxit Reader 3.0 - Open Execute Action Stack Buffer Overflow (Metasploit)
exploitdb·2012-05-21
CVE-2009-0837 Foxit Reader 3.0 - Open Execute Action Stack Buffer Overflow (Metasploit)
Foxit Reader 3.0 - Open Execute Action Stack Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Foxit Reader 3.0 builds 1301 and earlier.
Due to the way Foxit Reader handles the input from an "Launch" action, it is possible
to cause a stack-based buffer overflow, allowing an attacker to gain arbitrary code
execution under the context of the user.
},
'License' => MSF_LICENS
Exploit-DB
Foxit Reader 3.0 (Build 1301) - PDF Universal Buffer Overflow
exploitdb·2009-03-13
CVE-2009-0837 Foxit Reader 3.0 (Build 1301) - PDF Universal Buffer Overflow
Foxit Reader 3.0 (Build 1301) - PDF Universal Buffer Overflow
---
#!/usr/bin/perl
#
# Foxit Reader 3.0 ( s.pdf");
binmode $pdf;
print $pdf $pdf_data1.
$overflow1.$sehjmp.$sehret.$overflow2.
$pdf_data2;
close $pdf;
# milw0rm.com [2009-03-13]
Metasploit
Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow
metasploit
Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow
Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow
This module exploits a buffer overflow in Foxit Reader 3.0 builds 1301 and earlier. Due to the way Foxit Reader handles the input from an "Launch" action, it is possible to cause a stack-based buffer overflow, allowing an attacker to gain arbitrary code execution under the context of the user.
No writeups or analysis indexed.
http://secunia.com/advisories/34036http://www.coresecurity.com/content/foxit-reader-vulnerabilitieshttp://www.foxitsoftware.com/pdf/reader/security.htm#Stackbasedhttp://www.securityfocus.com/archive/1/501623/100/0/threadedhttp://www.securityfocus.com/bid/34035http://www.securitytracker.com/id?1021824http://www.vupen.com/english/advisories/2009/0634https://exchange.xforce.ibmcloud.com/vulnerabilities/49136http://secunia.com/advisories/34036http://www.coresecurity.com/content/foxit-reader-vulnerabilitieshttp://www.foxitsoftware.com/pdf/reader/security.htm#Stackbasedhttp://www.securityfocus.com/archive/1/501623/100/0/threadedhttp://www.securityfocus.com/bid/34035http://www.securitytracker.com/id?1021824http://www.vupen.com/english/advisories/2009/0634https://exchange.xforce.ibmcloud.com/vulnerabilities/49136
2009-03-10
Published