Foxit PhantomPDF < 7.3.4 Multiple Vulnerabilities

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

A PDF toolkit installed on the remote Windows host is affected by
multiple vulnerabilities.

Description :

According to its version, the Foxit PhantomPDF application (formally
known as Phantom) installed on the remote Windows host is prior to
7.3.4. It is, therefore, affected by multiple vulnerabilities :

- A use-after-free error exists that is triggered when
handling FlateDecode streams. An unauthenticated,
remote attacker can exploit this, via a crafted PDF
file, to dereference already freed memory, resulting in
a denial of service or the execution of arbitrary code.
(CVE-2016-4059)

- A use-after-free error exists that is related to the
TimeOut() function. An unauthenticated, remote attacker
can exploit this, via a crafted PDF file, to dereference
already freed memory, resulting in a denial of service
or the execution of arbitrary code. (CVE-2016-4060)

- An unspecified flaw exists that is triggered when
parsing content streams. An unauthenticated, remote
attacker can exploit this to crash the application,
resulting in a denial of service. (CVE-2016-4061)

- An unspecified flaw exists that is triggered when
recursively triggering PDF format errors. An
unauthenticated, remote attacker can exploit this to
cause the application to stop responding, resulting in a
denial of service. (CVE-2016-4062)

- A use-after-free error exists that is triggered when
handling object revision numbers. An unauthenticated,
remote attacker can exploit this, via a crafted PDF
file, to dereference already freed memory, resulting in
a denial of service or the execution of arbitrary code.
(CVE-2016-4063)

- A use-after-free error exists that is triggered when
handling XFA re-layouts. An unauthenticated, remote
attacker can exploit this to dereference already freed
memory, resulting in a denial of service or the
execution of arbitrary code. (CVE-2016-4064)

- An out-of-bounds read error exists that is triggered
when decoding BMP, GIF, and JPEG images during PDF
conversion. An unauthenticated, remote attacker can
exploit this to disclose sensitive memory contents or
cause a denial of service. (CVE-2016-4065)

- An unspecified use-after-free error exists that allows
an unauthenticated, remote attacker to dereference
already freed memory, resulting in a denial of service
or the execution of arbitrary code. (VulnDB 136000)

- A use-after-free error exists that is triggered when
handling JavaScript API calls when closing a document.
An unauthenticated, remote attacker can exploit this,
via a crafted PDF file, to dereference already freed
memory, resulting in a denial of service or the
execution of arbitrary code. (VulnDB 136006)

See also :

http://www.zerodayinitiative.com/advisories/ZDI-16-211/
http://www.zerodayinitiative.com/advisories/ZDI-16-212/
http://www.zerodayinitiative.com/advisories/ZDI-16-213/
http://www.zerodayinitiative.com/advisories/ZDI-16-214/
http://www.zerodayinitiative.com/advisories/ZDI-16-215/
http://www.zerodayinitiative.com/advisories/ZDI-16-216/
http://www.zerodayinitiative.com/advisories/ZDI-16-217/
http://www.zerodayinitiative.com/advisories/ZDI-16-218/
http://www.zerodayinitiative.com/advisories/ZDI-16-219/
http://www.zerodayinitiative.com/advisories/ZDI-16-220/
http://www.zerodayinitiative.com/advisories/ZDI-16-221/
http://www.zerodayinitiative.com/advisories/ZDI-16-222/
https://www.foxitsoftware.com/support/security-bulletins.php

Solution :

Upgrade to Foxit PhantomPDF version 7.3.4 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now