Researchers published PoC for Foxit PDF Reader RCE flaw (CVE-2022-28672)

Researchers from HackSys Inc have shared more details about a now-patched security flaw in Foxit PDF Reader code execution that could potentially enable an attacker to arbitrary code execution.

The vulnerability tracked as CVE-2022-28672 carries a high severity rating of 7.8 on the CVSS vulnerability scoring system. It has been addressed in the security update for Foxit PDF Reader 10.1.8 released on June 21, 2022.

The flaw is caused by an use-after-free flaw in the handling of Doc objects. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. An attacker looking to exploit these vulnerabilities would need to trick a user into opening a malicious file or visiting a malicious page.

Researchers Krishnakant Patil and Ashfaq Ansari of HackSys Inc conducted an in-depth analysis of the vulnerability and publicly disclosed CVE-2022-28672 PoC code.

“By carefully controlling the heap spraying process using the provided script, it is possible to crash Foxit Reader at a specific location when a virtual method is invoked. This allows the attacker to control the state of the object and potentially execute arbitrary code in the context of the Foxit process,” the researcher wrote in his blog.

At present, the researcher releases the CVE-2022-28672 Poc code on Github that causes remote code execution in vulnerable Foxit PDF Reader.  Users are advised to update to the latest software iteration as soon as possible.